GhostLock (CVE-2026-43499): 15-year rtmutex UAF gives root on every Linux distro
A use-after-free in the Linux kernel's futex priority-inheritance path, present since May 2011, hands root to any local user. Fixed in mainline commit 3bfdc63936dd; distros started shipping July 9.
Nebula Security disclosed GhostLock — CVE-2026-43499 — a use-after-free in the Linux kernel's real-time mutex code that gives any unprivileged local user a shell as root. The vulnerable path is on the futex priority-inheritance flow, where a cleanup routine assumes the wrong task owns the waiter it is tearing down. Nebula reported it to security@kernel.org via Google's kernel VRP program and, per SecurityWeek, earned a $92,000 bounty. CVSS is 7.8. A working proof-of-concept is public.
The bug
The vulnerable code sits in kernel/locking/rtmutex.c, on the priority-inheritance path used by FUTEX_LOCK_PI and FUTEX_CMP_REQUEUE_PI. When a deadlock cycle is detected during a requeue-with-PI operation, the kernel needs to unwind on behalf of a different, sleeping thread — not current. The old remove_waiter() implementation didn't know that: it took current->pi_blocked_on as gospel and cleared the wrong task's bookkeeping. The waiter stayed referenced by a dangling pointer into a freed region of kernel stack, and an attacker who controlled the freed slot got a write primitive that ends at root.
The upstream fix — commit 3bfdc63936dd, "rtmutex: Use waiter::task instead of current in remove_waiter()" — passes the correct task in explicitly, takes that task's pi_lock under scoped_guard, and only clears pi_blocked_on if it still points to the waiter being removed.
Age and blast radius
Per Nebula's own write-up and the corroborating disclosure timeline, the bad assumption was introduced in commit 8161239a8bcc in Linux 2.6.39-rc1, back in May 2011. Every kernel from 2.6.39 through the pre-7.1 mainline shipped the flaw. That covers effectively every server, container host, embedded appliance, and cloud VM image running Linux for the past fourteen years. There is no non-default kernel config to disable — the futex PI code is a standard build artifact.
Exploitation status
- Public PoC. Nebula published the technique and a working LPE PoC. Coverage in The Hacker News and SecurityAffairs reports the exploit clears a container boundary in the same run — a low-privileged process inside a container can become root on the host.
- No named in-the-wild campaign as of publication. No vendor telemetry (Mandiant, GreyNoise, CrowdStrike) has attributed observed exploitation to a group. The CISA Known Exploited Vulnerabilities catalog does not list CVE-2026-43499 at press time.
- Local attacker required. No remote vector. The exposure that matters is any workload that runs adversary-controlled code as an unprivileged user: multi-tenant CI, shared build boxes, hosted developer VMs, and containers whose runtime doesn't already interpose on
futex(2).
Action checklist
- Inventory kernels running now, not what's staged.
uname -ron every host, cross-referenced against your distro's advisory:- AlmaLinux shipped kernel updates on July 9.
- CloudLinux shipped kernel updates on July 9.
- Track RHEL, Ubuntu, Debian, and SUSE update streams for the corresponding backport commit; the CERT-FR advisories CERTFR-2026-AVI-0861, 0862, 0863, and 0864 — published July 10 — cover the Ubuntu, Debian LTS, Red Hat, and SUSE kernel rollups respectively.
- Reboot after the package lands. GhostLock is in the running kernel, not on disk.
yum update kernelis not a fix until the host is on the newuname -r. - Prioritise multi-tenant hosts. Public-cloud edges, hosted CI runners, shared developer bastions, and every container host where images execute untrusted code. On a shared host, "just a low-priv workload" is the exploit's starting point.
- Constrain the
futexsyscall on hardened workloads where a full reboot slips. Seccomp filters that deny theFUTEX_LOCK_PI/FUTEX_CMP_REQUEUE_PIoperations, or aSECCOMP_RET_ERRNO(EPERM)mask on futex ops the workload doesn't actually use, kill the primitive at the syscall boundary. This is a workaround, not a fix — apply until the host is on a patched kernel and rebooted. - Watch for a CISA KEV addition. GhostLock has the profile CISA has been adding fast in 2026: public PoC, LPE-to-root, defaults-on component, present on every host in the estate. If it lands on KEV, federal remediation deadlines apply from the catalog date.
Context
GhostLock is the second 15-year-plus Linux LPE disclosed via a public PoC in the last month, after the Bad Epoll flaw and the DirtyClone variant covered earlier. The pattern — old code, weak invariant, PoC drops the day the fix merges — has become the dominant Linux-kernel LPE shape of the year. Treat the interval between upstream commit and distro-shipped-and-rebooted as the operating risk window, and shorten it structurally: reboot policy on kernel security updates is the real defense, not the presence of the patch package on disk.
Nebula's disclosure also lands squarely inside Google's kernel VRP — the program Google reworked in 2025 to route third-party kernel research through a defined bounty rather than through opportunistic reporting. The $92k payout is public evidence that the rework produced the intended output: a critical, 15-year-old bug reported responsibly, patched in mainline before disclosure, and coordinated across the major distributions. The parallel Januscape KVM escape came out of the same ecosystem in the same month.