Nebula Security published technical information and exploit code targeting a Linux kernel vulnerability that affects all major distributions since 2011, tracked as CVE-2026-43499 and referred to as GhostLock . The security researchers demonstrated that the defect could be exploited for a container escape in Google's kernelCTF program and received a $92,337 bug bounty reward .
GhostLock is a Linux kernel vulnerability found by VEGA that exists in every major distribution since 2011, triggering the bug does not require any special kernel config or privilege, and by turning it into a 97% stable privilege escalation and container escape, Google rewarded the researchers $92,337 in kernelCTF . The defect was introduced in Linux 2.6.39 in May 2011, which means essentially every kernel shipped in the last 15 years carries it; the vulnerable range runs from 2.6.39 up to just before 7.1 .
How Does a 15-Year-Old Bug Stay Hidden?
GhostLock was introduced back in 2011 (Linux 2.6.39) and sat unnoticed for roughly 15 years because it only depends on CONFIG_FUTEX_PI, which is enabled on essentially every distribution kernel, and it was reported to security@kernel.org by Nebula Security — who found it with their automated analysis tool, VEGA — and is now fixed in mainline (commit 3bfdc63936dd, Linux 7.1) .
GhostLock is a use-after-free in the Linux kernel's rtmutex/futex-PI code (remove_waiter() in kernel/locking/rtmutex.c), and on the requeue-PI proxy path, remove_waiter() clears pi_blocked_on on the requeuer instead of the waiter, so the waiter task can return to userspace with pi_blocked_on still pointing at the rt_mutex_waiter on its own FUTEX_WAIT_REQUEUE_PI stack frame, and that frame is freed the moment the syscall returns, and any later PI chain walk through the task follows the dangling pointer .
The flaw lives in code designed to prevent priority inversion — a situation where an urgent task gets stuck waiting behind a low-priority one. Futex priority inheritance dates to 2011 . What they share is old, heavily used kernel machinery that few had reread in years, until automated tools started combing it .
What Makes This Exploit Dangerous?
Researchers at Nebula Security disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched, the vulnerable code has shipped by default in essentially every mainstream distribution since 2011, the flaw needs no special permission, no unusual settings, and no network access; ordinary threading calls from any local program are enough, and Nebula turned it into a working root exploit that is 97% reliable in its testing and also escapes containers .
The researchers report their exploit produces a stable root shell about 97% of the time, in roughly five seconds, and it was disclosed on July 7, 2026 by the research team VEGA at Nebula Security, in a writeup titled "IonStack part II: GhostLock," alongside a working proof-of-concept .
The operational impact is clear: any system running an unpatched Linux kernel is at risk of full compromise if an attacker gains even limited user access, whether through phishing, supply chain compromise, insider activity or exploitation of another vulnerability, and container environments are particularly exposed, as the flaw enables escape from containerised workloads into the host system, undermining the isolation that containers are designed to provide, and this is especially concerning for organisations running multi-tenant environments, cloud platforms or containerised applications where workload isolation is a critical security control .
The IonStack Chain: From Browser to Root
GhostLock is the second half of a chain Nebula calls IonStack, the first half, CVE-2026-10702, is a Firefox flaw that runs code inside the browser and escapes its sandbox; GhostLock carries it the rest of the way to root, and the first half is a flaw discovered in Firefox's JavaScript engine . It is a flaw discovered in Firefox's JavaScript engine (Mozilla bulletin MFSA 2026-54): a malicious page can use it to execute code in the browser and break out of the sandbox, and this vulnerability was fixed in Firefox 151.0.3 on June 2, 2026 .
Nebula has already demonstrated the full chain, starting from a single tap on a malicious link leading all the way to full control, by exploiting Firefox on Android, and that is why a "local only" kernel bug still matters: on its own, it needs a foothold, but bolted onto a browser exploit, it becomes a remote compromise .
The CVSS score for GhostLock sits at 7.8 — classified as "High" rather than "Critical" because it requires local access. CVSS scores each vulnerability individually, and alone, GhostLock requires local access, which limits its score to 7.8 "High" rather than a 9.x "Critical" remote code execution rating, but the IonStack chain — combining CVE-2026-10702 (a Firefox JIT flaw, patched June 2) with GhostLock — eliminates that local-access requirement, and visiting a malicious webpage in unpatched Firefox is enough to trigger the full chain, and the CVSS score reflects the component; the real-world risk reflects the chain .



