Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

15-Year-Old Linux Vulnerability ‘GhostLock’ Earns Researchers $92k From Google

Affecting every major distribution since 2011, the Linux kernel vulnerability allows attackers to gain root access.

Linux vulnerability

Nebula Security has published technical information and exploit code targeting a Linux kernel vulnerability that affects all major distributions since 2011.

Tracked as CVE-2026-43499 and referred to as GhostLock, the security defect was introduced in Linux 2.6.39 and lurked in the kernel for 15 years until a patch was rolled out in April.

GhostLock is a use-after-free issue introduced with a helper function designed to clean up after a task has been closed, as part of the kernel’s system of prioritizing urgent tasks.

Normally, the cleanup function would clear the current task. Due to the security defect, when a deadlock is encountered and a rollback occurs, the function clears the memory and reuses it while a pointer to it exists in another task.

The issue exists because the function assumes that the current task is the one that needs to be cleared up. However, when a requeue is requested, the function cleans up on behalf of a sleeping thread instead of the current one.

Nebula Security says it was able to exploit the vulnerability to control the inadvertently freed memory and achieve local privilege escalation to root.

Advertisement. Scroll to continue reading.

It also demonstrated that the security defect could be exploited for a container escape in Google’s kernelCTF program and received a $92,337 bug bounty reward.

GhostLock is the latest in a series of Linux kernel flaws that have been publicly disclosed over the past months. The list also includes Januscape, Bad Epoll, DirtyClone, CIFSwitch, DirtyDecrypt (aka DirtyCBC), Fragnesia, and Dirty Frag.

Related: Microsoft Patches Defender ‘RoguePlanet’ Vulnerability

Related: Chrome 150 Update Patches 27 Vulnerabilities

Related: Unpatched Backdoor in Tenda Firmware Grants Admin Access to Devices

Related: CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.