15-Year-Old GhostLock Bug Hits Linux – Grants Root Access

linux ghostlock
linux ghostlock

A new report by Nebula Security reveals ‘GhostLock’ (CVE-2026-43499)—one of the most severe local privilege escalation (LPE) flaws in recent memory. This vulnerability has silently hidden inside every major Linux distribution for more than 15 years.

Google awarded the researchers a $92,337 reward because the flaw allows an insider or an app to completely take control of a system with a 97% success rate.

Key Points

  • Deeply Hidden: The mistake was introduced to the Linux system code in 2011. It has existed in almost all versions of Linux since then.
  • Easy to Trigger: An attacker does not need administrator rights or special permissions to start the attack. Any normal user or standard app can trigger it.
  • Escaping the Box: If a hacker compromises a small app inside an isolated container (like a Docker container), they can use this flaw to break out and take over the entire main server.
  • High Reliability: While many system flaws are unstable and cause computer crashes, this method works smoothly 97% of the time without crashing the system.

The Root Cause: A 15-Year-Old Identity Crisis

GhostLock is a Stack Use-After-Free (stack-UAF) vulnerability found within the kernel’s real-time mutex (rtmutex) implementation (kernel/locking/rtmutex.c). It was introduced all the way back in 2011 with Linux version 2.6.39 and remained completely unnoticed until it was finally patched in Linux 7.1.

The bug is structural, born from a classic helper function reuse assumption:

  1. The Assumption: The helper function remove_waiter() was written under the assumption that a thread only ever cleans up after itself. Thus, it automatically scrubs the currently running thread’s pointer: current->pi_blocked_on = NULL.
  2. The Reality Break: In “Requeue-PI” scenarios (Priority Inheritance futexes), the kernel uses a proxy path (rt_mutex_start_proxy_lock()) to clean up on behalf of a different, sleeping thread.
  3. The Glitch: When a deadlock condition (-EDEADLK) is triggered and the kernel rolls back, remove_waiter() executes. But because it still uses current, it clears the blocked status of the requeuing thread instead of the actual sleeping waiter thread.

The result? The sleeping waiter thread wakes up and returns to userspace, but its internal pi_blocked_on pointer is left dangling, pointing directly back to its own now-deallocated kernel stack frame.

Exploiting GhostLock: Bypassing KASLR and Forging the Waiter

Because the dangling pointer points to the kernel stack rather than the heap, exploiting it requires precise memory manipulation. The Nebula Security team chained a series of incredibly sophisticated primitives to achieve 97% exploitation stability:

  • The KASLR Leak: Researchers used a CPU hardware-level prefetch timing attack to accurately leak the Kernel Address Space Layout Randomization (KASLR) base and the physical memory map (physmap) base with near 100% reliability.
  • Stack Reclamation via PR_SET_MM_MAP: To reclaim the freed stack frame where the dangling pointer lives, researchers used the prctl(PR_SET_MM_MAP, …) system call. This allowed them to precisely overlay controlled bytes onto the waiter’s old stack and forge a fake rt_mutex_waiter structure perfectly.
  • The Control Flow Hijack: By orchestrating a priority chain walk through the forged waiter structure, the exploit forces an arbitrary pointer write. Researchers used this to overwrite a global protocol table (inet6_protos[IPPROTO_UDP]) and point it to a controlled CPU Entry Area (CEA).

When a simple loopback IPv6 UDP packet was subsequently sent, the kernel called the compromised handler, redirected the control flow into a custom ROP (Return-Oriented Programming) chain, and granted the attacker instant root privileges.

Impact and Mitigation

What makes GhostLock uniquely dangerous is its lack of prerequisites. Exploiting CVE-2026-43499 requires absolutely no special privileges, no unique kernel configurations, and no user namespaces. Any unprivileged local user or compromised container container can trigger the three-futex deadlock loop to initiate the attack.

Affected Range: Linux Kernel v2.6.39-rc1 to v7.1-rc1
Requirement: CONFIG_FUTEX_PI=y (Enabled by default in virtually all mainstream distros)

Remediation:

The vulnerability has been formally addressed by rewriting remove_waiter() to properly reference waiter->task->pi_lock instead of the generic current context. System administrators and enterprise security teams are strongly urged to update their Linux infrastructure to the latest LTS kernel versions immediately to neutralize this threat vector.

Nebula Security noted that their upcoming research paper will focus on how GhostLock can be adapted to bypass advanced Android security mitigations, including Control Flow Integrity (CFI).

Previous Article
Bug bounty hunting for beginners

Bug Bounty Hunting for Beginners: How to Find Your First Vulnerability (2026)

Related Posts