ctipilot.ch

GhostLock — Linux kernel rtmutex use-after-free LPE + container escape, public exploit

cve · CVE-2026-43499

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
deep-dive
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-08GhostLock (CVE-2026-43499) — Linux kernel rtmutex use-after-free with a public, 97%-reliable root and container-escape exploit
    deep-diveGhostLock (CVE-2026-43499): 15-year-old Linux rtmutex UAF gets a public 97%-reliable root + container-escape exploit

Where this entity is cited

  • deep-dive1

Source distribution

  • nebusec.ai1 (50%)
  • thehackernews.com1 (50%)

Entries about GhostLock — Linux kernel rtmutex use-after-free LPE + container escape, public exploit (1)

2026-07-08 · view entry permalink →

GhostLock (CVE-2026-43499) — Linux kernel rtmutex use-after-free with a public, 97%-reliable root and container-escape exploit

GhostLock (CVE-2026-43499) is a stack use-after-free in the Linux kernel's rtmutex priority-inheritance code, discovered by Nebula Security's automated bug-hunting tool VEGA (Nebula Security, 2026-07-07). The defect lives in remove_waiter() (kernel/locking/rtmutex.c): the helper unconditionally clears current->pi_blocked_on, an assumption valid on the normal self-blocking path but broken on the proxy-lock rollback path — rt_mutex_start_proxy_lock() can enqueue (and, on -EDEADLK, roll back via remove_waiter()) a waiter on behalf of a different task, so the helper scrubs the wrong task's state and leaves a dangling pointer into an already-freed kernel stack frame. The only prerequisite is CONFIG_FUTEX_PI=y, the default on essentially every mainstream distribution — no special capability, user namespace, or unusual configuration, so any unprivileged local user is in scope.

The flaw was introduced in Linux 2.6.39 (commit 8161239a8bcc, a 2011 rtmutex PI-algorithm rework) and shipped for over fifteen years until it was reported to security@kernel.org on 18 April 2026, fixed two days later in commit 3bfdc63936dd, and backported by 4 May 2026 — meaning most currently-maintained kernels already carry the fix, but any distribution build not rebased onto a post-April-2026 source tree remains exposed. Nebula turned the primitive into a full exploit: reclaim the freed stack frame, use a prefetch-based side channel plus the DirtyMode /proc/sys write-what-where technique to hijack a function pointer, and reach root in roughly five seconds at 97% reliability in testing; the same primitive escapes containers, letting a compromised container break out to the host kernel. Google awarded $92,337 through kernelCTF, and Nebula published full exploit source alongside the write-up on 7 July — no in-the-wild exploitation is reported, but public working code against a 15-year exposure window makes this a same-week verification item (The Hacker News, 2026-07-08).

Kill chain and detection: the exploit is a local privilege-escalation and container-escape primitive — T1068 Exploitation for Privilege Escalation, with the container-escape variant also mapping to T1611 Escape to Host. Because the trigger is a legitimate futex-PI syscall pattern, there is no clean single syscall signature; hunt instead for the downstream effects — unexpected uid=0 transitions from processes with no setuid provenance, kernel oops/BUG: KASAN/general protection fault entries referencing rtmutex/remove_waiter in dmesg on hosts running untrusted code, and, on container platforms, a container process acquiring host-level capabilities or writing under host /proc/sys. Hardening short of the kernel patch: CONFIG_RANDOMIZE_KSTACK_OFFSET defeats the specific stack-reuse step (turning a deterministic overlap into roughly a 1-in-32 guess) and CONFIG_STATIC_USERMODE_HELPER closes the specific DirtyMode write-what-where path this PoC relied on — both raise cost but are not fixes. The durable remediation is confirming the running kernel includes commit 3bfdc63936dd, with priority on multi-tenant, shared-CI-runner and container-host fleets across Swiss/EU public-sector and cloud/Kubernetes estates where untrusted local code is most likely to run.

GhostLock (CVE-2026-43499) is a Linux kernel vulnerability found by VEGA that exists in every major distribution since 2011. Triggering the bug does not require any special kernel config or privilege.

Nebula Security 2026-07-07

No one is known to be exploiting it in the wild, but Nebula has published working exploit code, so anyone can now run it.

The Hacker News 2026-07-08
vulnerability08 Jul 20:35Zmulti-sourceOpen finding ↗