preloader

· security devops digital-security linux kernel cve containers kubernetes vulnerability-management europe

GhostLock: A Vulnerability Hiding in Linux Since 2011 Now Has a Public Exploit That Gets Root in Seconds

Source: The Hacker News

A vulnerability that has sat quietly in the Linux kernel since 2011 now has a public, highly reliable exploit, and it affects essentially every mainstream Linux distribution running a kernel from the last fifteen years.

What GhostLock actually is

CVE-2026-43499, dubbed GhostLock, is a use-after-free flaw in the kernel’s real-time mutex priority-inheritance code, triggered through the futex subsystem that underpins ordinary thread synchronisation. No special permissions, unusual configuration, or network access are required. Ordinary threading calls available to any local program are enough to trigger it. Security researchers at Nebula Security turned the flaw into a working root exploit that succeeds roughly 97 percent of the time in testing, and confirmed the same bug also allows a compromised container to escape to the underlying host kernel.

Why this is worse than a typical local privilege escalation bug

Most local privilege escalation flaws need a specific configuration, an unusual kernel module loaded, or a narrow race condition that is hard to hit reliably. GhostLock needs none of that. It has been present in the vulnerable code path since Linux 2.6.39, meaning any server, workstation, or container host that has not applied a very recent kernel update carries the flaw regardless of distribution. The container escape angle matters just as much as the local root angle: any environment running untrusted or semi-trusted workloads in containers, a common pattern in shared hosting, CI/CD runners, and multi-tenant Kubernetes clusters, should treat this as a host-compromise risk, not just a single-container risk.

Researchers have also linked GhostLock to a two-stage attack chain called IonStack, where a separate Firefox sandbox-escape flaw, CVE-2026-10702, delivers code execution inside the browser, and GhostLock then carries that access the rest of the way to full root. A browser bug and a kernel bug that individually look moderate become a complete workstation compromise when chained.

What has been fixed, and what has not

The flaw is fixed in mainline Linux as of commit 3bfdc63936dd, shipped in Linux 7.1. Major enterprise distributions including AlmaLinux and CloudLinux have already released backported kernel updates. The gap that matters is everywhere else: older kernel branches still receiving only security backports, container base images built before the patch, and any environment where kernel updates are batched into infrequent maintenance windows rather than applied promptly.

What to do now

Confirm your kernel version against your distribution’s advisory for CVE-2026-43499 today, and prioritise patching any host that runs containers for multiple tenants or untrusted workloads, since the container-escape path turns a contained incident into a full host compromise. If you cannot patch immediately, review which local users and container images have execution rights on affected hosts, since the exploit requires only ordinary local code execution to succeed.

If your organisation needs help auditing kernel patch levels across your fleet, hardening container and Kubernetes hosts against escape techniques, or building a faster path from kernel advisory to production patch, contact Excello Digital. We help European DevOps and infrastructure teams close exactly this kind of gap between “patch available” and “patch applied.”

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!