Researchers disclosed GhostLock (CVE-2026-43499), a long-hidden Linux kernel local privilege-escalation flaw that has existed since 2011 and affects nearly all mainstream distributions. The bug resides in priority-inheritance futex and real-time mutex handling, where a race condition can trigger a use-after-free and dangling pointer, allowing a logged-in unprivileged user to gain root on unpatched systems. The vulnerability affected kernels from Linux 2.6.39 through version 7.1, and researchers reported a weaponized exploit with high reliability.
The exploit can also enable container escape, raising risk for multi-user, cloud, and containerized environments. Researchers said the attack can bypass KASLR, hijack kernel control flow through the inet6_protos table, and use the DirtyMode technique to complete privilege escalation; they also tied GhostLock to a broader IonStack chain in which a Firefox flaw (CVE-2026-10702) delivers code execution before GhostLock elevates privileges, including in a demonstrated Firefox-on-Android scenario. The flaw was patched upstream in April under commit 3bfdc63936dd, but the initial fix introduced a separate crash bug (CVE-2026-53166), prompting defenders to deploy current kernel updates rather than early patched builds.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
AlmaLinux announced that all supported AlmaLinux OS releases 8, 9, and 10 are affected by GhostLock (CVE-2026-43499) and published backported patched kernels to its testing repositories for community validation before production release.
Nebula Security publicly disclosed GhostLock, describing it as a Linux local privilege-escalation flaw that can give logged-in users root access and enable container escape on unpatched systems. The disclosure included public exploit code and technical details showing high exploit reliability and use in the broader IonStack exploit chain.
The Linux kernel upstream fixed CVE-2026-43499 in April 2026 under commit 3bfdc63936dd. The initial fix reportedly introduced a separate crash issue later tracked as CVE-2026-53166, prompting guidance to use current kernel updates rather than early patched builds.
The GhostLock Linux kernel vulnerability, later tracked as CVE-2026-43499, was introduced in Linux 2.6.39 in 2011 and remained present for years in the kernel's futex priority-inheritance handling.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
11 references tracked. Mallory keeps watching after this page renders.
securityweek.com
Open sourceitpro.com
Open sourcethecybersecguru.com
Open sourceseclists.org
Open sourceseclists.org
Open sourcenebusec.ai
Open sourcegithub.com
Open sourceseclists.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.