HeadlinesBriefing favicon HeadlinesBriefing.com

GhostLock: 15-Year Linux Kernel Vulnerability Found

Hacker News •
×

Researchers have detailed GhostLock (CVE-2026-43499), a stack-based use-after-free vulnerability residing in the Linux kernel for over 15 years, affecting all distributions since version 2.6.39. Discovered by VEGA, the flaw allows an unprivileged local attacker to gain root access and escape containers with a reported 97% stability. Google awarded the team $92,337 for the exploit.

The vulnerability stems from a flaw in the `remove_waiter()` function within `kernel/locking/rtmutex.c`. Originally designed for a single thread cleaning up its own blocking state, the function was misused in the proxy path of `rt_mutex_start_proxy_lock()`. This path handles cleanup for a different, sleeping thread, causing `remove_waiter()` to incorrectly clear the `pi_blocked_on` field of the wrong task. This leaves a dangling kernel pointer to freed stack memory.

Exploiting GhostLock involves creating a specific three-thread futex dependency cycle to trigger a deadlock and subsequent rollback. This process leaves the dangling pointer intact when the waiter task returns to userspace. The exploit then reclaims the freed stack memory and sprays controlled data to forge a fake `rt_mutex_waiter` object. This forged object enables arbitrary pointer writes, ultimately allowing control flow hijacking via manipulation of structures like `inet6_protos` and leading to privilege escalation.