GhostLock Privilege Escalation Flaw Lurked in Linux Kernel for 15 Years

A race condition in Linux kernel futex operations, present since 2011, allows unprivileged local attackers to craft control flow hijacking and achieve root access with high reliability.

CSBadmin
3 Min Read

Vulnerability Origin and Mechanism

A critical privilege escalation vulnerability in the Linux kernel, identified as CVE-2026-43499 and named GhostLock, has been disclosed by security researchers at VEGA. The flaw originates from a logic error in the kernel’s real-time mutex (rtmutex) subsystem, introduced in Linux version 2.6.39 in 2011. It remained undetected until patched in April 2026, affecting all kernels up to version 7.1.

The bug resides in the remove_waiter() function, which incorrectly clears a pointer for the currently executing task instead of the actual waiting task during certain futex operations. This creates a dangling pointer referencing freed kernel stack memory. An unprivileged local attacker can exploit this via a race condition involving priority inheritance futexes, triggering a deadlock that forces a kernel rollback. During rollback, the kernel leaves behind a stale pointer, allowing attackers to reclaim freed stack memory and replace it with controlled data, forging internal kernel structures.

Exploitation and Impact

Researchers from Nebula Security developed a highly reliable exploit with a 97% success rate, earning a $92,337 reward through Google’s kernelCTF program. The exploit achieves limited arbitrary writes to kernel memory, sufficient to overwrite critical structures like the inet6_protos table for IPv6 protocol operations. By redirecting a function pointer to attacker controlled memory, they hijack control flow when the kernel processes a crafted network packet. The attack bypasses kernel address space layout randomization (KASLR) using a timing side channel based on CPU prefetch instructions. The final stage, called DirtyMode, modifies permissions on a sysctl setting, enabling arbitrary code execution as root from user space.

The vulnerability requires no special privileges or kernel configuration, making it particularly dangerous in multi user systems and containerized environments. It also enables container escape scenarios, increasing impact in cloud and shared infrastructure. The Linux kernel maintainers fixed the issue by modifying remove_waiter() to correctly reference the intended task structure. Nebula Security noted the initial patch risked a null pointer exception, requiring an updated fix. Users are strongly advised to update to patched kernel versions or the latest long term support releases.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.