Monday, July 13, 2026Vol. III · No. 194Subscribe
The Mining, Energy & Technology Wire
Mining · Analysis

GhostLock: 15-Year Linux Flaw Hits Root

A Linux kernel vulnerability that sat undetected for 15 years now lets any logged-in user gain root access in five seconds. Researchers earned $92,337 from Google for the find.

GhostLock: 15-Year Linux Flaw Hits Root
PhotographA Linux kernel vulnerability that sat undetected for 15 years now lets any logged-in user gain root access in five seconds. Researchers earned $92,337 from Google for the find.

Nebula Security published technical information and exploit code targeting a Linux kernel vulnerability that affects all major distributions since 2011, tracked as CVE-2026-43499 and referred to as GhostLock . The security researchers demonstrated that the defect could be exploited for a container escape in Google's kernelCTF program and received a $92,337 bug bounty reward .

GhostLock is a Linux kernel vulnerability found by VEGA that exists in every major distribution since 2011, triggering the bug does not require any special kernel config or privilege, and by turning it into a 97% stable privilege escalation and container escape, Google rewarded the researchers $92,337 in kernelCTF . The defect was introduced in Linux 2.6.39 in May 2011, which means essentially every kernel shipped in the last 15 years carries it; the vulnerable range runs from 2.6.39 up to just before 7.1 .

How Does a 15-Year-Old Bug Stay Hidden?

GhostLock was introduced back in 2011 (Linux 2.6.39) and sat unnoticed for roughly 15 years because it only depends on CONFIG_FUTEX_PI, which is enabled on essentially every distribution kernel, and it was reported to security@kernel.org by Nebula Security — who found it with their automated analysis tool, VEGA — and is now fixed in mainline (commit 3bfdc63936dd, Linux 7.1) .

GhostLock is a use-after-free in the Linux kernel's rtmutex/futex-PI code (remove_waiter() in kernel/locking/rtmutex.c), and on the requeue-PI proxy path, remove_waiter() clears pi_blocked_on on the requeuer instead of the waiter, so the waiter task can return to userspace with pi_blocked_on still pointing at the rt_mutex_waiter on its own FUTEX_WAIT_REQUEUE_PI stack frame, and that frame is freed the moment the syscall returns, and any later PI chain walk through the task follows the dangling pointer .

The flaw lives in code designed to prevent priority inversion — a situation where an urgent task gets stuck waiting behind a low-priority one. Futex priority inheritance dates to 2011 . What they share is old, heavily used kernel machinery that few had reread in years, until automated tools started combing it .

What Makes This Exploit Dangerous?

Researchers at Nebula Security disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched, the vulnerable code has shipped by default in essentially every mainstream distribution since 2011, the flaw needs no special permission, no unusual settings, and no network access; ordinary threading calls from any local program are enough, and Nebula turned it into a working root exploit that is 97% reliable in its testing and also escapes containers .

The researchers report their exploit produces a stable root shell about 97% of the time, in roughly five seconds, and it was disclosed on July 7, 2026 by the research team VEGA at Nebula Security, in a writeup titled "IonStack part II: GhostLock," alongside a working proof-of-concept .

The operational impact is clear: any system running an unpatched Linux kernel is at risk of full compromise if an attacker gains even limited user access, whether through phishing, supply chain compromise, insider activity or exploitation of another vulnerability, and container environments are particularly exposed, as the flaw enables escape from containerised workloads into the host system, undermining the isolation that containers are designed to provide, and this is especially concerning for organisations running multi-tenant environments, cloud platforms or containerised applications where workload isolation is a critical security control .

The IonStack Chain: From Browser to Root

GhostLock is the second half of a chain Nebula calls IonStack, the first half, CVE-2026-10702, is a Firefox flaw that runs code inside the browser and escapes its sandbox; GhostLock carries it the rest of the way to root, and the first half is a flaw discovered in Firefox's JavaScript engine . It is a flaw discovered in Firefox's JavaScript engine (Mozilla bulletin MFSA 2026-54): a malicious page can use it to execute code in the browser and break out of the sandbox, and this vulnerability was fixed in Firefox 151.0.3 on June 2, 2026 .

Nebula has already demonstrated the full chain, starting from a single tap on a malicious link leading all the way to full control, by exploiting Firefox on Android, and that is why a "local only" kernel bug still matters: on its own, it needs a foothold, but bolted onto a browser exploit, it becomes a remote compromise .

The CVSS score for GhostLock sits at 7.8 — classified as "High" rather than "Critical" because it requires local access. CVSS scores each vulnerability individually, and alone, GhostLock requires local access, which limits its score to 7.8 "High" rather than a 9.x "Critical" remote code execution rating, but the IonStack chain — combining CVE-2026-10702 (a Firefox JIT flaw, patched June 2) with GhostLock — eliminates that local-access requirement, and visiting a malicious webpage in unpatched Firefox is enough to trigger the full chain, and the CVSS score reflects the component; the real-world risk reflects the chain .

Who Needs to Patch First?

Ubuntu, for example, had patched its newest release and some cloud kernels, but as of early July still listed 24.04, 22.04, and 20.04 LTS as vulnerable or in progress . The patched kernel for GhostLock (CVE-2026-43499) has been released to the production repositories for every affected AlmaLinux release — 8, 9, and 10, and the fixed versions released to production are kernel-4.18.0-553.141.2.el8_10 (AlmaLinux 8), kernel-5.14.0-687.24.1.el9_8 (AlmaLinux 9), and kernel-6.12.0-211.32.1.el10_2 (AlmaLinux 10), or higher .

Red Hat is expediting the release of fixes for CVE-2026-43499 and CVE-2026-53166, these flaws were discovered in the Linux kernel's locking subsystem, related to mutexes, and these could allow a local attacker to achieve privilege escalation or cause a denial of service .

Patch shared and multi-tenant machines first, cloud servers, containers, and CI runners, where an attacker is most likely to find the local foothold this bug needs . On a multi-tenant server that is the worst case a hosting provider plans for: a single compromised site, a low-trust shell account, or a hacked plugin can go from an ordinary process to full control of the machine, and every other customer on it, in seconds .

Critical Infrastructure at Risk

In environments where patching is slow, particularly in critical infrastructure, an initial compromise can escalate into full system control and operational disruption, and this primarily affects sectors such as energy, utilities, manufacturing, healthcare, transportation, and government systems that rely on long-lived or specialized Linux deployments .

Linux underpins industrial control systems across the energy sector. The following versions of Impact of Linux Kernel vulnerabilities on B&R products are affected: Linux for B&R <=12, APROL <APROL-AutoYaST-DVD- V4.4-010.10.260602, X20EDS410 /all, and Critical Infrastructure Sectors: Critical Manufacturing .

While Linux is widely used in these environments because it is stable, flexible, and cost-effective, these same characteristics often lead to systems that are harder to patch, allowing vulnerabilities to persist . Industrial environments running SCADA systems, programmable logic controllers, and other operational technology often operate on extended patch cycles due to uptime requirements and change-control processes.

Part of a Broader Pattern

GhostLock joins a run of 2026 Linux privilege-escalation bugs, several of which share a detail: an automated tool found them, VEGA found GhostLock; days earlier, researchers disclosed Bad Epoll (CVE-2026-46242), a close cousin that also turns an unprivileged user into root .

Another 2026 bug, Copy Fail (CVE-2026-31431), is already on CISA's list of vulnerabilities seen in real-world attacks . CVE-2026-31431 Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability, and this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise .

The Linux kernel topped the list of CVE (Common Vulnerabilities and Exposures) disclosures for the first half of 2026, according to statistics shared by longtime Linux kernel maintainer Greg Kroah-Hartman, and in the vendor-level breakdown, Linux led with 2,308 disclosed CVEs, followed by Google with 1,752 .

What Changed This Week

A vulnerability that existed in every mainstream Linux distribution for 15 years now has public exploit code and a demonstrated attack chain that turns a browser click into full system compromise. Researchers earned nearly $100,000 from Google for finding it. Major distributions are shipping patches, but coverage remains uneven, particularly for long-term support releases still widely deployed in enterprise and critical infrastructure environments.

What to Watch

Distribution security advisories for kernel updates targeting CVE-2026-43499. Red Hat, Ubuntu, Debian, and other major vendors are releasing patches on different schedules. Multi-tenant cloud providers and container orchestration platforms should prioritize updates to prevent cross-tenant compromise. Industrial control system operators running Linux-based SCADA, PLC controllers, or other operational technology should assess patch timelines against operational requirements — this flaw affects systems that may have years-long update cycles.


Reporting based on coverage from The Hacker News, SecurityWeek, Nebula Security, CloudLinux, AlmaLinux, Red Hat, Secarma, CISA, July 7-13, 2026.

Original reporting and analysis by the Stake & Paper editorial team. See linked sources within the article.

Share this story

More from Stake & Paper

Was this article helpful?

ClaimWatch

Mining claims intelligence — from query to report, in minutes.

Every unpatented mining claim across all twelve BLM states. Leadfile audits, due diligence, site selection, regional prospecting, entity investigations, and AOI monitoring — delivered as complete report packages.

4.4M+
Claims Tracked
12
BLM States
7
Report Types
Request a Sample Report
Stake & Paper AM

One morning brief. The whole energy sector.

Original analysis, the day's most important wire stories, and market data — delivered before your first cup of coffee. Free.