Close Menu

    Subscribe to Updates

    Get the latest creative news from infofortech

    What's Hot

    Helping AI models to meet the real world | MIT News

    July 14, 2026

    AWS Security Hub expands coverage to Microsoft Azure and beefs up AI protections

    July 14, 2026

    Why Personalized Lead Data Analysis Beats Bulk Reporting Every Single Time

    July 14, 2026
    Facebook X (Twitter) Instagram
    InfoForTech
    • Home
    • Latest in Tech
    • Artificial Intelligence
    • Cybersecurity
    • Innovation
    Facebook X (Twitter) Instagram
    InfoForTech
    Home»Cybersecurity»15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
    Cybersecurity

    15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros

    InfoForTechBy InfoForTechJuly 8, 2026No Comments4 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email


    Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched.

    The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network access; ordinary threading calls from any local program are enough.

    Nebula turned it into a working root exploit that is 97% reliable in its testing and also escapes containers, and says Google awarded the team $92,337 through its kernelCTF bug-bounty program.

    No one is known to be exploiting it in the wild, but Nebula has published working exploit code, so anyone can now run it. Patching is the priority.

    How the bug works

    The kernel has a system for keeping an urgent task from getting stuck behind a trivial one. Part of it is a cleanup step that tidies up after a task once it stops waiting.

    Normally, that works fine. But in one rare case, where a lock operation hits a dead end and has to back out, the cleanup runs at the wrong moment and wipes the wrong task’s record.

    That mistake leaves the kernel holding a “note” that points at a scrap of memory it has already thrown away and reused. Trusting that stale pointer is the whole bug, the kind of slip known as a use-after-free. From there, Nebula’s team chained a few clever steps to turn that small mistake into full control, ending by tricking the kernel into running their own code as the all-powerful “root” user. On their test machine, it took about five seconds.

    The flaw has been in Linux since 2011 and was fixed in April, with distributions now rolling out the patch (3bfdc63936dd). It affects nearly every Linux build and scores 7.8 out of 10 (high, not critical) because an attacker needs to already be logged in to the machine. Nebula found it with VEGA, its AI-driven bug-hunting tool.

    What to do

    Install your distribution’s current kernel, not just the first patched build. The original fix introduced a separate crash bug (CVE-2026-53166), and the cleanup for that was still settling upstream in early July, so early builds may lack the final version.

    There is no complete workaround, since the operations that trigger it are routine for any local process.

    Availability is uneven so far. Ubuntu, for example, had patched its newest release and some cloud kernels, but as of early July still listed 24.04, 22.04, and 20.04 LTS as vulnerable or in progress. Check your distribution’s advisory and confirm the fixed package version rather than assuming one is waiting.

    Two build options, RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER, make this exploit harder, but they are mitigations, not fixes. Patch shared and multi-tenant machines first, cloud servers, containers, and CI runners, where an attacker is most likely to find the local foothold this bug needs.

    Not the only kernel-to-root bug this year

    GhostLock joins a run of 2026 Linux privilege-escalation bugs, several of which share a detail: an automated tool found them.

    VEGA found GhostLock; days earlier, researchers disclosed Bad Epoll (CVE-2026-46242), a close cousin that also turns an unprivileged user into root. It was proven through kernelCTF and, unusually for this class of bug, works on Android.

    Bad Epoll sits in the same stretch of code where Anthropic’s Mythos model was credited with a related flaw. What they share is old, heavily used kernel machinery that few had reread in years, until automated tools started combing it. Futex priority inheritance dates to 2011. The class is not theoretical: another 2026 bug, Copy Fail (CVE-2026-31431), is already on CISA’s list of vulnerabilities seen in real-world attacks.

    GhostLock is also the second half of a chain Nebula calls IonStack. The first half, CVE-2026-10702, is a Firefox flaw that runs code inside the browser and escapes its sandbox; GhostLock carries it the rest of the way to root.

    Nebula has already demonstrated the full chain, from a single tap on a malicious link to full control, against Firefox on Android. That is why a “local only” kernel bug still matters: on its own, it needs a foothold, but bolted onto a browser exploit, it becomes a remote compromise. Nebula says a full write-up of the Android exploit is coming next.

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    InfoForTech
    • Website

    Related Posts

    U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

    July 14, 2026

    CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

    July 13, 2026

    Rokarolla Android Malware, How to Protect Your Banking Apps

    July 13, 2026

    Europe Must Sell Intelligence, Not Electrons

    July 13, 2026

    Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

    July 12, 2026

    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

    July 12, 2026
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

    March 20, 202638 Views

    Microsoft is bringing an AI helper to Xbox consoles

    March 14, 202618 Views

    Why Security Validation Is Becoming Agentic

    March 16, 202616 Views

    This is the tech that makes Volvo’s latest EV a major step forward

    January 24, 202616 Views
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Advertisement
    About Us
    About Us

    Our mission is to deliver clear, reliable, and up-to-date information about the technologies shaping the modern world. We focus on breaking down complex topics into easy-to-understand insights for professionals, enthusiasts, and everyday readers alike.

    We're accepting new partnerships right now.

    Facebook X (Twitter) YouTube
    Most Popular

    DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

    March 20, 202638 Views

    Microsoft is bringing an AI helper to Xbox consoles

    March 14, 202618 Views

    Why Security Validation Is Becoming Agentic

    March 16, 202616 Views
    Categories
    • Artificial Intelligence
    • Cybersecurity
    • Innovation
    • Latest in Tech
    © 2026 All Rights Reserved InfoForTech.
    • Home
    • About Us
    • Contact Us
    • Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.