15-year-old GhostLock Kernel Flaw Enables Privilege Escalation in Major Linux Distributions

15-year-old GhostLock Kernel Flaw Enables Privilege Escalation in Major Linux Distributions










A critical Linux kernel vulnerability, tracked as CVE-2026-43499 and dubbed “GhostLock,” has been disclosed by security researchers at VEGA, exposing a privilege escalation flaw that has silently affected major Linux distributions for over a decade.

GhostLock originates from a logic error in the kernel’s real-time mutex (rtmutex) subsystem, introduced in Linux version 2.6.39 in 2011. The flaw remained undiscovered until it was patched in April 2026, impacting all kernels up to version 7.1.

Nebula Security researchers demonstrated a highly reliable exploit with a 97% success rate, earning a $92,337 reward through Google’s kernelCTF program.

At its core, the vulnerability allows an unprivileged local attacker to manipulate kernel memory and ultimately gain root privileges.

The issue arises in the remove_waiter() function, which incorrectly clears a pointer associated with the currently executing task instead of the actual waiting task during certain futex operations.

This bug causes a dangling pointer to reference freed kernel stack memory. The flaw is exploitable via a specific race condition involving priority-inheritance futexes.

By carefully orchestrating interactions among multiple threads and futex variables, an attacker can trigger a deadlock that forces the kernel to roll back.

15-Year-Old GhostLock Linux Kernel Vulnerability

During this rollback, the kernel fails to properly clean up internal state, leaving behind a stale pointer to a stack object that no longer exists.

Once this dangling pointer is created, attackers can reclaim the freed stack memory and replace it with controlled data.

This enables them to forge internal kernel structures and influence how the kernel processes synchronization primitives. The technique exploits this condition to achieve limited, arbitrary writes to kernel memory.

Although the write primitive is constrained, it is sufficient to overwrite critical kernel structures, such as function-pointer tables.

In the demonstrated exploit, researchers targeted the inet6_protos table, which handles IPv6 protocol operations.

By redirecting a function pointer to attacker-controlled memory, they hijacked control flow when the kernel processed a crafted network packet.

To bypass kernel address space layout randomization (KASLR), the exploit uses a timing side-channel based on CPU prefetch instructions to infer memory layout.

It also leverages the CPU Entry Area, a predictable kernel memory region, to store crafted data structures and build a return-oriented programming chain.

The final stage of the attack uses a technique known as DirtyMode, in which a single kernel memory write modifies the permissions on a sysctl setting.

This allows attackers to execute arbitrary code as root from user space, completing the privilege escalation chain. The vulnerability requires no special privileges or kernel configuration, making it particularly dangerous in multi-user systems and containerized environments where local access is possible.

It also enables container escape scenarios, further increasing its impact in cloud and shared infrastructure. The Linux kernel maintainers addressed the issue by modifying the remove_waiter() function to correctly reference the intended task structure.

Nebula Security researchers found that the initial patch could cause a null pointer exception, necessitating an updated fix. Users and administrators are strongly advised to update to patched kernel versions or the latest long-term support releases.

Systems running older kernels remain vulnerable to exploitation. Given the attack’s reliability, timely patching is essential to prevent potential compromise.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide

The post 15-year-old GhostLock Kernel Flaw Enables Privilege Escalation in Major Linux Distributions appeared first on Cyber Security News.






Abinaya





Go to cyber-security-news