15-year-old Linux kernel flaw allows root access on most distros

A use-after-free vulnerability hiding in the Linux kernel since 2011 has been publicly disclosed, complete with working exploit code, raising alarms across the open-source ecosystem. The flaw, dubbed GhostLock and tracked as CVE-2026-43499, allows any logged-in local user to escalate privileges to full root and break out of container environments on virtually every mainstream Linux distribution.

A Decade and a Half Undetected

Researchers at Nebula Security published details of the vulnerability on Tuesday, revealing that it resides in the kernel’s real-time mutex (rtmutex) subsystem. The bug stems from a stack-based use-after-free condition triggered when the `remove_waiter()` function improperly references the `current` task pointer instead of `waiter::task`. The fix, merged into the mainline kernel in May, corrects this behavior by substituting the proper reference. gbhackers.com linux.oracle.com nvd.nist.gov

The flaw requires no special permissions, no unusual system configuration, and no network access — only local user-level login to a vulnerable machine. Its reach extends to servers, cloud workloads, embedded systems, and critically, containerized environments where it can defeat the isolation boundaries that containers are designed to enforce. secarma.com ground.news

Patch Complications

While no exploitation in the wild has been reported, Nebula Security’s release of functional exploit code has intensified urgency for administrators. Complicating matters, an early patch for GhostLock introduced a secondary crash bug, now tracked as CVE-2026-53166. That flaw, found in the kernel’s futex requeue mechanism, causes a NULL pointer dereference when a non-top waiter attempts to requeue a priority inheritance futex — crashing the kernel outright. A fix for CVE-2026-53166 was published in late June, and Red Hat issued its advisory on June 25. ground.news x.com access.redhat.com nvd.nist.gov

What Administrators Should Do

Organizations are advised to update to the latest patched kernel from their distribution vendor, verifying that the update addresses both CVE-2026-43499 and CVE-2026-53166. Systems running containerized workloads deserve particular attention, as do legacy machines and appliances that may fall outside standard patch cycles. Monitoring for unusual privilege escalation activity is recommended as an interim measure for environments where immediate patching is not feasible. access.redhat.com secarma.com