{"id":14145,"date":"2026-07-08T10:03:45","date_gmt":"2026-07-08T10:03:45","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/08\/15-year-old-ghostlock-kernel-flaw-enables-privilege-escalation-in-major-linux-distributions\/"},"modified":"2026-07-08T10:03:45","modified_gmt":"2026-07-08T10:03:45","slug":"15-year-old-ghostlock-kernel-flaw-enables-privilege-escalation-in-major-linux-distributions","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/08\/15-year-old-ghostlock-kernel-flaw-enables-privilege-escalation-in-major-linux-distributions\/","title":{"rendered":"15-year-old GhostLock Kernel Flaw Enables Privilege Escalation in Major Linux Distributions"},"content":{"rendered":"<p>    15-year-old GhostLock Kernel Flaw Enables Privilege Escalation in Major Linux Distributions<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A critical Linux kernel vulnerability, tracked as CVE-2026-43499 and dubbed \u201c<a href=\"https:\/\/cybersecuritynews.com\/ghostlock-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">GhostLock<\/a>,\u201d has been disclosed by security researchers at VEGA, exposing a privilege escalation flaw that has silently affected major Linux distributions for over a decade.<\/p>\n<p class=\"wp-block-paragraph\">GhostLock originates from a logic error in the kernel\u2019s real-time mutex (rtmutex) subsystem, introduced in Linux version 2.6.39 in 2011. The flaw remained undiscovered until it was patched in April 2026, impacting all kernels up to version 7.1.<\/p>\n<p class=\"wp-block-paragraph\">Nebula Security researchers demonstrated a highly reliable exploit with a 97% success rate, earning a $92,337 reward through Google\u2019s kernelCTF program.<\/p>\n<p>At its core, the vulnerability allows an unprivileged local attacker to manipulate kernel memory and ultimately <a href=\"https:\/\/cybersecuritynews.com\/linux-kernel-nftables-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">gain root privileges<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">The issue arises in the remove_waiter() function, which incorrectly clears a pointer associated with the currently executing task instead of the actual waiting task during certain futex operations.<\/p>\n<p class=\"wp-block-paragraph\">This bug causes a dangling pointer to reference freed kernel stack memory. The flaw is exploitable via a specific race condition involving priority-inheritance futexes.<\/p>\n<figure class=\"wp-block-video\"><video controls src=\"https:\/\/nebusec.ai\/_astro\/lpe.BlgXdoXi.mp4\"><\/video><\/figure>\n<p class=\"wp-block-paragraph\">By carefully orchestrating interactions among multiple threads and futex variables, an attacker can trigger a deadlock that forces the kernel to roll back.<\/p>\n<h2 id=\"h-15-year-old-ghostlock-linux-kernel-vulnerability\" class=\"wp-block-heading\"><strong>15-Year-Old GhostLock Linux Kernel Vulnerability<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">During this rollback, the kernel fails to properly clean up internal state, leaving behind a stale pointer to a stack object that no longer exists.<\/p>\n<p class=\"wp-block-paragraph\">Once this dangling pointer is created, attackers can reclaim the freed stack memory and replace it with controlled data.<\/p>\n<p class=\"wp-block-paragraph\">This enables them to forge internal kernel structures and influence how the kernel processes synchronization primitives. The technique exploits this condition to achieve limited, arbitrary writes to kernel memory.<\/p>\n<p class=\"wp-block-paragraph\">Although the write primitive is constrained, it is sufficient to overwrite critical kernel structures, such as function-pointer tables.<\/p>\n<p class=\"wp-block-paragraph\">In the demonstrated exploit, researchers targeted the inet6_protos table, which handles IPv6 protocol operations.<\/p>\n<p class=\"wp-block-paragraph\">By redirecting a function pointer to attacker-controlled memory, they hijacked control flow when the kernel processed a crafted network packet.<\/p>\n<p class=\"wp-block-paragraph\">To bypass <a href=\"https:\/\/cybersecuritynews.com\/windows-11-kaslr-bypassed-using-cache-timing-techniques\/\" target=\"_blank\" rel=\"noreferrer noopener\">kernel address space layout randomization (KASLR)<\/a>, the exploit uses a timing side-channel based on CPU prefetch instructions to infer memory layout.<\/p>\n<p class=\"wp-block-paragraph\">It also leverages the CPU Entry Area, a predictable kernel memory region, to store crafted data structures and build a return-oriented programming chain.<\/p>\n<p class=\"wp-block-paragraph\">The final stage of the attack uses a technique known as <a href=\"https:\/\/cybersecuritynews.com\/dirtydecrypt-linux-kernel-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">DirtyMode<\/a>, in which a single kernel memory write modifies the permissions on a sysctl setting.<\/p>\n<p class=\"wp-block-paragraph\">This allows attackers to execute arbitrary code as root from user space, completing the privilege escalation chain. The vulnerability requires no special privileges or kernel configuration, making it particularly dangerous in multi-user systems and containerized environments where local access is possible.<\/p>\n<p class=\"wp-block-paragraph\">It also enables container escape scenarios, further increasing its impact in cloud and shared infrastructure. The Linux kernel maintainers addressed the issue by modifying the remove_waiter() function to correctly reference the intended task structure.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/nebusec.ai\/research\/ionstack-part-2\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Nebula Security researchers found <\/a>that the initial patch could cause a null pointer exception, necessitating an updated fix. Users and administrators are strongly advised to update to patched kernel versions or the latest long-term support releases.<\/p>\n<p class=\"wp-block-paragraph\">Systems running older kernels remain vulnerable to exploitation. Given the attack\u2019s reliability, timely patching is essential to prevent potential compromise.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>Stop Accepting SLAs Written for 2019 SOCs \u2013 Here\u2019s the 2026 AI SLA <strong>Vendor<\/strong> Checklist<\/strong> \u2013 <strong><a href=\"https:\/\/underdefense.com\/ai-soc-sla-in-2026-mttr-benchmarks-clause-tables-negotiation-checklist\/?utm_source=cybersecuritynews.com&amp;utm_medium=online_media&amp;utm_campaign=csn_linkedin_newsletter_aisoc_sla_july_2026\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Download Free <strong>AI SOC SLA <\/strong>Guide<\/a><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/15-year-old-ghostlock-linux-kernel-vulnerability\/\">15-year-old GhostLock Kernel Flaw Enables Privilege Escalation in Major Linux Distributions<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/15-year-old-ghostlock-linux-kernel-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>15-year-old GhostLock Kernel Flaw Enables Privilege Escalation in Major Linux Distributions A critical Linux kernel vulnerability, tracked as CVE-2026-43499 and dubbed \u201cGhostLock,\u201d has been disclosed by security researchers at VEGA, exposing a privilege escalation flaw that has silently affected major Linux distributions for over a decade. GhostLock originates from a logic error in the kernel\u2019s [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,406,648],"tags":[130],"class_list":["post-14145","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-linux","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14145"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14145"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14145\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}