Security
GhostLock CVE-2026-43499 gives local root and container escape on most Linux distributions
- Category: Security
- Status: confirmed
- Sources: Nebula Security writeup, r/linux discussion
- Summary: Nebula Security disclosed GhostLock (CVE-2026-43499) on 2026-07-07, a stack use-after-free in the Linux kernel rtmutex priority-inheritance code. The
remove_waiter()path inkernel/locking/rtmutex.cclears the wrong task'spi_blocked_onpointer during a proxy-lock rollback whenrt_mutex_start_proxy_lock()returns-EDEADLK. The bug was introduced in Linux 2.6.39 and reachable through 7.1-rc1 on any kernel built withCONFIG_FUTEX_PIenabled, which is the default in mainstream distributions. It needs no special capabilities, user namespaces, or network access. Nebula published a working exploit it reports as 97 percent reliable that gains root and escapes containers, and says Google awarded $92,337 through kernelCTF. The fix landed in Linux 7.1 in April 2026. No in-the-wild exploitation is known, and distributions are still shipping updates. - Why it matters: A default-enabled config path present in nearly every distribution for 15 years now has public root-and-container-escape exploit code, so unpatched multi-tenant and container hosts are directly exposed.