Press TechRound interviews Secure.com CEO on the future of AI security
Read

A 15-Year-Old Linux Bug Just Handed Attackers the Keys to Root

GhostLock, a 15-year-old Linux kernel bug, lets any local user gain root and escape containers. Working exploit code is now public.

Dateline: July 8, 2026

GhostLock: The Linux Flaw That Hid in Plain Sight Since 2011

For fifteen years, a flaw sat quietly inside the Linux kernel. Nobody noticed. Then an AI bug-hunting tool went looking, and now any logged-in user on an unpatched machine can turn themselves into root in about five seconds.

What Happened?

Researchers at Nebula Security disclosed a Linux kernel vulnerability they call GhostLock, tracked as CVE-2026-43499. It has lived in the kernel since 2011 and ships by default in nearly every mainstream Linux distribution.

The bug is a use-after-free in the kernel’s priority-inheritance futex code. In plain terms, the kernel keeps a note that points to a scrap of memory it already threw away. Trusting that stale pointer is the whole problem. From there, the team forged a fake object, hijacked a function table, and ended up running their own code as root.

Triggering it needs no special permission, no odd settings, and no network access. Ordinary threading calls from any local program are enough. Nebula built a working exploit that hit 97 percent reliability in testing and also broke out of containers. Google paid the team $92,337 through its kernelCTF bug-bounty program.

An AI tool named VEGA found it. That fits a pattern this year. Days earlier, researchers disclosed Bad Epoll, a close cousin in the same stretch of old, rarely-read kernel code. Automated tools have started combing machinery that few humans had reread in years.

The flaw scores 7.8 out of 10. It sits just below critical because an attacker needs a foothold on the machine first.

The Impact

Here is why a “local only” bug still matters. On its own it needs a starting point. But Nebula chained GhostLock to a Firefox flaw and demonstrated the full path, from one tap on a bad link to full control, against Firefox on Android. Bolted onto a browser exploit, a local bug becomes a remote takeover.

The container escape is the scary part. It lets code jump from an isolated workload onto the host. Cloud platforms lean on that isolation to keep tenants apart, so one flaw here can undo careful container defenses. Multi-tenant setups, cloud servers, and CI runners are the most exposed.

Working exploit code is now public. No one is known to be abusing it in the wild yet, but anyone can run it today.

How to Avoid This

Patching is the fix. Everything else buys time.

Move to a patched or latest LTS kernel now, and confirm the fixed package version rather than assuming one is waiting. As of early July, Ubuntu still listed 24.04, 22.04, and 20.04 LTS as vulnerable or in progress. Patch shared and multi-tenant machines first: cloud servers, containers, and CI runners.

Two build options, RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER, make the exploit harder. They are mitigations, not fixes. Also watch the cleanup: the first patch introduced a separate crash bug, so install your distribution’s current kernel, not just the first patched build.

Old Bugs Don’t Announce Themselves. Your Defenses Should.

GhostLock hid for fifteen years across every Linux box in production. Secure.com helps you find and close that kind of exposure before an attacker does.

  • Continuous discovery of Linux hosts, containers, and cloud workloads, including the legacy systems that slip past normal patch cycles
  • Risk-based prioritization so root-level privilege escalation bugs jump to the top of the fix-first list
  • Fast tracing of which assets run the vulnerable kernel version once a CVE like this drops
  • Guided remediation that confirms the fixed package landed, not just that an update was queued
  • Ongoing monitoring of multi-tenant and container hosts where escape flaws do the most damage