15-Year-Old Linux Kernel Flaw Can Grant Root and Break Out of Containers
Security researchers at Nebula Security have disclosed a long-standing Linux kernel vulnerability, tracked as CVE-2026-43499 and nicknamed GhostLock, that can let a local user gain full root privilege...
Security researchers at Nebula Security have disclosed a long-standing Linux kernel vulnerability, tracked as CVE-2026-43499 and nicknamed GhostLock, that can let a local user gain full root privileges on systems that have not been updated. The issue has reportedly existed in the kernel since 2011 and has been present in default configurations across most major Linux distributions.
According to the researchers, the flaw does not require special permissions, unusual configuration changes, or network access. A logged-in user can trigger it through ordinary threading activity from a local program. Nebula says it built a reliable exploit that worked in testing with a high success rate and could also escape containers, making the bug especially concerning for shared servers and cloud environments.
How the flaw behaves
The problem sits in kernel logic designed to manage task priority and cleanup during locking operations. In a rare failure path, the cleanup happens at the wrong time and removes the wrong task’s data. That leaves the kernel referencing memory that has already been freed and potentially reused, a classic use-after-free condition. From there, the researchers chained additional steps to turn the memory corruption into code execution with root-level access.
Nebula says the issue was identified using its VEGA automated bug-hunting system and that Google awarded the team a bug bounty through its kernelCTF program. The vulnerability was fixed upstream in April, but the patch has been arriving in distributions at different times, and some early builds reportedly introduced a separate crash issue that required additional cleanup.
What administrators should do
- Install the latest kernel package provided by your distribution.
- Verify the exact fixed version instead of assuming the first patched build is sufficient.
- Prioritize systems exposed to multiple users, containers, CI runners, and cloud workloads.
- Review vendor advisories closely, since rollout status varies by distribution and release.
While certain kernel hardening options may make exploitation more difficult, they are not substitutes for patching. Because no practical workaround fully removes the risk, updating the kernel remains the main defense.
Nebula also noted that GhostLock is part of a broader trend of recent Linux privilege-escalation discoveries, several of which were also found with automated tools. The company has indicated that a more detailed Android exploit write-up is expected later, after demonstrating that the flaw can be chained with a browser vulnerability into a full compromise.
