• Category: Security
  • Status: confirmed
  • Sources: Nebula Security writeup, r/linux discussion
  • Summary: Nebula Security disclosed GhostLock (CVE-2026-43499) on 2026-07-07, a stack use-after-free in the Linux kernel rtmutex priority-inheritance code. The remove_waiter() path in kernel/locking/rtmutex.c clears the wrong task's pi_blocked_on pointer during a proxy-lock rollback when rt_mutex_start_proxy_lock() returns -EDEADLK. The bug was introduced in Linux 2.6.39 and reachable through 7.1-rc1 on any kernel built with CONFIG_FUTEX_PI enabled, which is the default in mainstream distributions. It needs no special capabilities, user namespaces, or network access. Nebula published a working exploit it reports as 97 percent reliable that gains root and escapes containers, and says Google awarded $92,337 through kernelCTF. The fix landed in Linux 7.1 in April 2026. No in-the-wild exploitation is known, and distributions are still shipping updates.
  • Why it matters: A default-enabled config path present in nearly every distribution for 15 years now has public root-and-container-escape exploit code, so unpatched multi-tenant and container hosts are directly exposed.

Send feedback on this story