ctipilot.ch
← Back to the live brief
HIGHCVE-2026-43499vulnerabilitydeep dive

GhostLock (CVE-2026-43499) — Linux kernel rtmutex use-after-free with a public, 97%-reliable root and container-escape exploit

discovered 2026-07-08 20:35 UTCrun 2026-07-08T2009Z-intel2 sourcesmulti-source

GhostLock (CVE-2026-43499) is a stack use-after-free in the Linux kernel's rtmutex priority-inheritance code, discovered by Nebula Security's automated bug-hunting tool VEGA (Nebula Security, 2026-07-07). The defect lives in remove_waiter() (kernel/locking/rtmutex.c): the helper unconditionally clears current->pi_blocked_on, an assumption valid on the normal self-blocking path but broken on the proxy-lock rollback path — rt_mutex_start_proxy_lock() can enqueue (and, on -EDEADLK, roll back via remove_waiter()) a waiter on behalf of a different task, so the helper scrubs the wrong task's state and leaves a dangling pointer into an already-freed kernel stack frame. The only prerequisite is CONFIG_FUTEX_PI=y, the default on essentially every mainstream distribution — no special capability, user namespace, or unusual configuration, so any unprivileged local user is in scope.

The flaw was introduced in Linux 2.6.39 (commit 8161239a8bcc, a 2011 rtmutex PI-algorithm rework) and shipped for over fifteen years until it was reported to security@kernel.org on 18 April 2026, fixed two days later in commit 3bfdc63936dd, and backported by 4 May 2026 — meaning most currently-maintained kernels already carry the fix, but any distribution build not rebased onto a post-April-2026 source tree remains exposed. Nebula turned the primitive into a full exploit: reclaim the freed stack frame, use a prefetch-based side channel plus the DirtyMode /proc/sys write-what-where technique to hijack a function pointer, and reach root in roughly five seconds at 97% reliability in testing; the same primitive escapes containers, letting a compromised container break out to the host kernel. Google awarded $92,337 through kernelCTF, and Nebula published full exploit source alongside the write-up on 7 July — no in-the-wild exploitation is reported, but public working code against a 15-year exposure window makes this a same-week verification item (The Hacker News, 2026-07-08).

Kill chain and detection: the exploit is a local privilege-escalation and container-escape primitive — T1068 Exploitation for Privilege Escalation, with the container-escape variant also mapping to T1611 Escape to Host. Because the trigger is a legitimate futex-PI syscall pattern, there is no clean single syscall signature; hunt instead for the downstream effects — unexpected uid=0 transitions from processes with no setuid provenance, kernel oops/BUG: KASAN/general protection fault entries referencing rtmutex/remove_waiter in dmesg on hosts running untrusted code, and, on container platforms, a container process acquiring host-level capabilities or writing under host /proc/sys. Hardening short of the kernel patch: CONFIG_RANDOMIZE_KSTACK_OFFSET defeats the specific stack-reuse step (turning a deterministic overlap into roughly a 1-in-32 guess) and CONFIG_STATIC_USERMODE_HELPER closes the specific DirtyMode write-what-where path this PoC relied on — both raise cost but are not fixes. The durable remediation is confirming the running kernel includes commit 3bfdc63936dd, with priority on multi-tenant, shared-CI-runner and container-host fleets across Swiss/EU public-sector and cloud/Kubernetes estates where untrusted local code is most likely to run.

GhostLock (CVE-2026-43499) is a Linux kernel vulnerability found by VEGA that exists in every major distribution since 2011. Triggering the bug does not require any special kernel config or privilege.

Nebula Security 2026-07-07

No one is known to be exploiting it in the wild, but Nebula has published working exploit code, so anyone can now run it.

The Hacker News 2026-07-08

Defender actions

  • Confirm the running kernel includes commit 3bfdc63936dd (backported 2026-05-04) — a build date of 'recent' is not sufficient; verify the specific fix on every multi-tenant, CI/CD and container-host Linux fleet.
  • Where immediate patching is not possible, enable CONFIG_RANDOMIZE_KSTACK_OFFSET and CONFIG_STATIC_USERMODE_HELPER to raise exploit cost (not a fix), and prioritise hosts where untrusted local code runs (shared build runners, container platforms).
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.