15-Year-Old Linux Kernel GhostLock Flaw Lets Local Users Gain Root

CVE-2026-43499, dubbed GhostLock by Nebula Security, exposes a long-standing Linux kernel futex bug that can lead to local root access.

Linux users have another kernel privilege escalation bug to deal with. Tracked as CVE-2026-43499 and named GhostLock by Nebula Security, the flaw affects the Linux kernel’s futex and rtmutex priority-inheritance code and can let an unprivileged local user gain root on vulnerable systems.

The vulnerability carries a CVSS 3.1 score of 7.8, rated High by NVD, which places it firmly in the serious-but-local category.

This issue follows closely after DirtyClone, another recent Linux kernel vulnerability that could also result in local root access. However, GhostLock is a distinct flaw. While DirtyClone was related to the networking stack and socket buffer fragment handling, GhostLock is located deeper within the kernel’s locking code.

According to Nebula Security, the issue dates back to 2011 (starting with Linux kernel 2.6.39), making it roughly 15 years old. The vulnerable logic is in the kernel’s real-time mutex code, specifically in the futex priority-inheritance path.

In other words, the kernel can clean up the wrong task during a rollback path, leaving stale priority-inheritance state behind. That can result in a use-after-free condition, which the researchers say can be turned into a reliable local privilege escalation exploit.

The impact is serious but should be accurately understood. This vulnerability does not allow remote takeover, as an attacker must first achieve local code execution. However, this requirement is not trivial on shared systems, container hosts, CI runners, development machines, or servers where low-privileged accounts may already be compromised.

Nebula Security states that GhostLock can be exploited from within a container to escape to the host, making this vulnerability particularly relevant for multi-tenant and containerized environments. AlmaLinux’s advisory also describes the issue as a local root flaw that can be exploited from inside a container without requiring special capabilities.

The patch status varies across distros. Debian has released fixes for its supported kernel lines. Ubuntu has addressed the issue in the main kernel package for 26.04 LTS, though several older LTS versions remain vulnerable or are pending updates. SUSE has published fixes for multiple enterprise and openSUSE lines.

Oracle Linux has released UEK fixes for versions 9 and 10. AlmaLinux has made patches for versions 8, 9, and 10 available through its testing repository, with production rollout pending. Amazon Linux still lists affected kernel packages as awaiting a fix, and Red Hat continues to update affected RHEL releases.

So, importantly, users should not assume they are protected just because their distribution has issued some kernel updates recently. The safe check is to compare the running kernel with the fixed version listed by the distribution’s own security tracker, then reboot into the updated kernel.

At the time of writing, there is no universal workaround for GhostLock. While some hardening options may make exploitation more difficult, they are not substitutes for vendor kernel updates. For production systems, especially multi-user servers and container hosts, the only effective solution is to apply a patched kernel from the distribution vendor.

For additional info, see Nebula’s post.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Leave a Reply

Your email address will not be published. Required fields are marked *