2026-07-08 · view entry permalink →
GhostLock (CVE-2026-43499) — Linux kernel rtmutex use-after-free with a public, 97%-reliable root and container-escape exploit
GhostLock (CVE-2026-43499) is a stack use-after-free in the Linux kernel's rtmutex priority-inheritance code, discovered by Nebula Security's automated bug-hunting tool VEGA (Nebula Security, 2026-07-07). The defect lives in remove_waiter() (kernel/locking/rtmutex.c): the helper unconditionally clears current->pi_blocked_on, an assumption valid on the normal self-blocking path but broken on the proxy-lock rollback path — rt_mutex_start_proxy_lock() can enqueue (and, on -EDEADLK, roll back via remove_waiter()) a waiter on behalf of a different task, so the helper scrubs the wrong task's state and leaves a dangling pointer into an already-freed kernel stack frame. The only prerequisite is CONFIG_FUTEX_PI=y, the default on essentially every mainstream distribution — no special capability, user namespace, or unusual configuration, so any unprivileged local user is in scope.
The flaw was introduced in Linux 2.6.39 (commit 8161239a8bcc, a 2011 rtmutex PI-algorithm rework) and shipped for over fifteen years until it was reported to security@kernel.org on 18 April 2026, fixed two days later in commit 3bfdc63936dd, and backported by 4 May 2026 — meaning most currently-maintained kernels already carry the fix, but any distribution build not rebased onto a post-April-2026 source tree remains exposed. Nebula turned the primitive into a full exploit: reclaim the freed stack frame, use a prefetch-based side channel plus the DirtyMode /proc/sys write-what-where technique to hijack a function pointer, and reach root in roughly five seconds at 97% reliability in testing; the same primitive escapes containers, letting a compromised container break out to the host kernel. Google awarded $92,337 through kernelCTF, and Nebula published full exploit source alongside the write-up on 7 July — no in-the-wild exploitation is reported, but public working code against a 15-year exposure window makes this a same-week verification item (The Hacker News, 2026-07-08).
Kill chain and detection: the exploit is a local privilege-escalation and container-escape primitive — T1068 Exploitation for Privilege Escalation, with the container-escape variant also mapping to T1611 Escape to Host. Because the trigger is a legitimate futex-PI syscall pattern, there is no clean single syscall signature; hunt instead for the downstream effects — unexpected uid=0 transitions from processes with no setuid provenance, kernel oops/BUG: KASAN/general protection fault entries referencing rtmutex/remove_waiter in dmesg on hosts running untrusted code, and, on container platforms, a container process acquiring host-level capabilities or writing under host /proc/sys. Hardening short of the kernel patch: CONFIG_RANDOMIZE_KSTACK_OFFSET defeats the specific stack-reuse step (turning a deterministic overlap into roughly a 1-in-32 guess) and CONFIG_STATIC_USERMODE_HELPER closes the specific DirtyMode write-what-where path this PoC relied on — both raise cost but are not fixes. The durable remediation is confirming the running kernel includes commit 3bfdc63936dd, with priority on multi-tenant, shared-CI-runner and container-host fleets across Swiss/EU public-sector and cloud/Kubernetes estates where untrusted local code is most likely to run.
GhostLock (CVE-2026-43499) is a Linux kernel vulnerability found by VEGA that exists in every major distribution since 2011. Triggering the bug does not require any special kernel config or privilege.
No one is known to be exploiting it in the wild, but Nebula has published working exploit code, so anyone can now run it.