Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched.
The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network access; ordinary threading calls from any local program are enough.
Nebula turned it into a working root exploit that is 97% reliable in its testing and also escapes containers, and says Google awarded the team $92,337 through its kernelCTF bug-bounty program.
No one is known to be exploiting it in the wild, but Nebula has published working exploit code, so anyone can now run it. Patching is the priority.
How the bug works
The kernel has a system for keeping an urgent task from getting stuck behind a trivial one. Part of it is a cleanup step that tidies up after a task once it stops waiting.
Normally, that works fine. But in one rare case, where a lock operation hits a dead end and has to back out, the cleanup runs at the wrong moment and wipes the wrong task’s record.
That mistake leaves the kernel holding a “note” that points at a scrap of memory it has already thrown away and reused. Trusting that stale pointer is the whole bug, the kind of slip known as a use-after-free. From there, Nebula’s team chained a few clever steps to turn that small mistake into full control, ending by tricking the kernel into running their own code as the all-powerful “root” user. On their test machine, it took about five seconds.
The flaw has been in Linux since 2011 and was fixed in April, with distributions now rolling out the patch (3bfdc63936dd). It affects nearly every Linux build and scores 7.8 out of 10 (high, not critical) because an attacker needs to already be logged in to the machine. Nebula found it with VEGA, its AI-driven bug-hunting tool.
What to do
Install your distribution’s current kernel, not just the first patched build. The original fix introduced a separate crash bug (CVE-2026-53166), and the cleanup for that was still settling upstream in early July, so early builds may lack the final version.
There is no complete workaround, since the operations that trigger it are routine for any local process.
Availability is uneven so far. Ubuntu, for example, had patched its newest release and some cloud kernels, but as of early July still listed 24.04, 22.04, and 20.04 LTS as vulnerable or in progress. Check your distribution’s advisory and confirm the fixed package version rather than assuming one is waiting.
Two build options, RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER, make this exploit harder, but they are mitigations, not fixes. Patch shared and multi-tenant machines first, cloud servers, containers, and CI runners, where an attacker is most likely to find the local foothold this bug needs.
Not the only kernel-to-root bug this year
GhostLock joins a run of 2026 Linux privilege-escalation bugs, several of which share a detail: an automated tool found them.
VEGA found GhostLock; days earlier, researchers disclosed Bad Epoll (CVE-2026-46242), a close cousin that also turns an unprivileged user into root. It was proven through kernelCTF and, unusually for this class of bug, works on Android.
Bad Epoll sits in the same stretch of code where Anthropic’s Mythos model was credited with a related flaw. What they share is old, heavily used kernel machinery that few had reread in years, until automated tools started combing it. Futex priority inheritance dates to 2011. The class is not theoretical: another 2026 bug, Copy Fail (CVE-2026-31431), is already on CISA’s list of vulnerabilities seen in real-world attacks.
GhostLock is also the second half of a chain Nebula calls IonStack. The first half, CVE-2026-10702, is a Firefox flaw that runs code inside the browser and escapes its sandbox; GhostLock carries it the rest of the way to root.
Nebula has already demonstrated the full chain, from a single tap on a malicious link to full control, against Firefox on Android. That is why a “local only” kernel bug still matters: on its own, it needs a foothold, but bolted onto a browser exploit, it becomes a remote compromise. Nebula says a full write-up of the Android exploit is coming next.





