15-Year-Old Linux GhostLock Flaw Enables Root
🛡️ Researchers at Nebula Security disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel use-after-free that allows any logged-in user to gain root privileges on unpatched systems. The bug, present in mainstream distributions since 2011, requires only ordinary local threading calls and no network access. Nebula developed a 97% reliable exploit that also escapes containers and received $92,337 from Google's kernelCTF bounty. Patching is urgent, with early fixes having introduced a follow-up crash bug and distributions still rolling out the corrected kernel.
