Skip to content

GhostLock (CVE-2026-43499): 15-year rtmutex UAF gives root on every Linux distro

A use-after-free in the Linux kernel's futex priority-inheritance path, present since May 2011, hands root to any local user. Fixed in mainline commit 3bfdc63936dd; distros started shipping July 9.

Published 4 min read

Nebula Security disclosed GhostLockCVE-2026-43499 — a use-after-free in the Linux kernel's real-time mutex code that gives any unprivileged local user a shell as root. The vulnerable path is on the futex priority-inheritance flow, where a cleanup routine assumes the wrong task owns the waiter it is tearing down. Nebula reported it to security@kernel.org via Google's kernel VRP program and, per SecurityWeek, earned a $92,000 bounty. CVSS is 7.8. A working proof-of-concept is public.

The bug

The vulnerable code sits in kernel/locking/rtmutex.c, on the priority-inheritance path used by FUTEX_LOCK_PI and FUTEX_CMP_REQUEUE_PI. When a deadlock cycle is detected during a requeue-with-PI operation, the kernel needs to unwind on behalf of a different, sleeping thread — not current. The old remove_waiter() implementation didn't know that: it took current->pi_blocked_on as gospel and cleared the wrong task's bookkeeping. The waiter stayed referenced by a dangling pointer into a freed region of kernel stack, and an attacker who controlled the freed slot got a write primitive that ends at root.

The upstream fix — commit 3bfdc63936dd, "rtmutex: Use waiter::task instead of current in remove_waiter()" — passes the correct task in explicitly, takes that task's pi_lock under scoped_guard, and only clears pi_blocked_on if it still points to the waiter being removed.

Age and blast radius

Per Nebula's own write-up and the corroborating disclosure timeline, the bad assumption was introduced in commit 8161239a8bcc in Linux 2.6.39-rc1, back in May 2011. Every kernel from 2.6.39 through the pre-7.1 mainline shipped the flaw. That covers effectively every server, container host, embedded appliance, and cloud VM image running Linux for the past fourteen years. There is no non-default kernel config to disable — the futex PI code is a standard build artifact.

Exploitation status

  • Public PoC. Nebula published the technique and a working LPE PoC. Coverage in The Hacker News and SecurityAffairs reports the exploit clears a container boundary in the same run — a low-privileged process inside a container can become root on the host.
  • No named in-the-wild campaign as of publication. No vendor telemetry (Mandiant, GreyNoise, CrowdStrike) has attributed observed exploitation to a group. The CISA Known Exploited Vulnerabilities catalog does not list CVE-2026-43499 at press time.
  • Local attacker required. No remote vector. The exposure that matters is any workload that runs adversary-controlled code as an unprivileged user: multi-tenant CI, shared build boxes, hosted developer VMs, and containers whose runtime doesn't already interpose on futex(2).

Action checklist

  1. Inventory kernels running now, not what's staged. uname -r on every host, cross-referenced against your distro's advisory:
    • AlmaLinux shipped kernel updates on July 9.
    • CloudLinux shipped kernel updates on July 9.
    • Track RHEL, Ubuntu, Debian, and SUSE update streams for the corresponding backport commit; the CERT-FR advisories CERTFR-2026-AVI-0861, 0862, 0863, and 0864 — published July 10 — cover the Ubuntu, Debian LTS, Red Hat, and SUSE kernel rollups respectively.
  2. Reboot after the package lands. GhostLock is in the running kernel, not on disk. yum update kernel is not a fix until the host is on the new uname -r.
  3. Prioritise multi-tenant hosts. Public-cloud edges, hosted CI runners, shared developer bastions, and every container host where images execute untrusted code. On a shared host, "just a low-priv workload" is the exploit's starting point.
  4. Constrain the futex syscall on hardened workloads where a full reboot slips. Seccomp filters that deny the FUTEX_LOCK_PI / FUTEX_CMP_REQUEUE_PI operations, or a SECCOMP_RET_ERRNO(EPERM) mask on futex ops the workload doesn't actually use, kill the primitive at the syscall boundary. This is a workaround, not a fix — apply until the host is on a patched kernel and rebooted.
  5. Watch for a CISA KEV addition. GhostLock has the profile CISA has been adding fast in 2026: public PoC, LPE-to-root, defaults-on component, present on every host in the estate. If it lands on KEV, federal remediation deadlines apply from the catalog date.

Context

GhostLock is the second 15-year-plus Linux LPE disclosed via a public PoC in the last month, after the Bad Epoll flaw and the DirtyClone variant covered earlier. The pattern — old code, weak invariant, PoC drops the day the fix merges — has become the dominant Linux-kernel LPE shape of the year. Treat the interval between upstream commit and distro-shipped-and-rebooted as the operating risk window, and shorten it structurally: reboot policy on kernel security updates is the real defense, not the presence of the patch package on disk.

Nebula's disclosure also lands squarely inside Google's kernel VRP — the program Google reworked in 2025 to route third-party kernel research through a defined bounty rather than through opportunistic reporting. The $92k payout is public evidence that the rework produced the intended output: a critical, 15-year-old bug reported responsibly, patched in mainline before disclosure, and coordinated across the major distributions. The parallel Januscape KVM escape came out of the same ecosystem in the same month.

Related stories