GhostLock (CVE-2026-43499): a 15-year-old Linux kernel bug gives any local user root in 5 seconds
In January 2011, a change landed in the Linux kernel's futex priority-inheritance handling. That code is still in every major Linux kernel today. It contains a use-after-free bug that Nebula Security has turned into a working root exploit with 97% reliability. The bug is tracked as CVE-2026-43499 and nicknamed GhostLock.
What is the bug?
GhostLock lives in the rtmutex (real-time mutex) priority-inheritance code path inside the kernel's futex subsystem. When a thread holding a priority-inherited lock is killed mid-handoff, the kernel can dereference a freed rtmutex waiter object. An unprivileged local user can trigger this condition with standard threading calls. No special permissions, no unusual kernel configuration, no network access required. CVSS score: 7.8 High.
Nebula Security's working exploit achieves root in approximately 5 seconds with 97% reliability, and it also escapes container boundaries. A process inside a container on a shared host can use GhostLock to become root on the host OS. Google awarded Nebula a $92,337 kernelCTF bounty for this research.
Scope
Every Linux distribution shipping a kernel since version 2.6.39 (2011) is affected. This includes Ubuntu, Debian, Fedora, RHEL, CentOS, AlmaLinux, Rocky Linux, SUSE, and essentially every server, cloud image, or container host running a mainstream Linux distribution for the past 15 years. Red Hat confirmed affected RHEL versions in RHSB-2026-010.
The container escape angle
Most Linux privilege escalation vulnerabilities affect only the local user context. GhostLock is more serious for shared environments because the exploit also breaks container isolation. If you run multi-tenant workloads, Kubernetes nodes, or any environment where container isolation is a security boundary, this elevates the blast radius from a compromised container process to root on the host.
What to do
Patch your kernel. This is the only effective remediation. There is no practical configuration change or workaround that prevents exploitation. Red Hat RHSB-2026-010 includes detection queries for RHEL-based systems. AlmaLinux has released fixed builds for versions 8, 9, and 10. CloudLinux offers a livepatch for GhostLock, enabling patch-without-reboot for subscribed systems. Plan a maintenance window and patch this week. A public exploit achieving root in 5 seconds will not stay undeployed in the wild for long.
The broader pattern
GhostLock follows a pattern that repeats every few years in Linux kernel security: old, obscure subsystem code that nobody audits regularly until a researcher runs a fuzzer or reads it carefully. The futex subsystem has a history of privilege escalation bugs. The lesson is not that Linux is uniquely insecure. It is that security-critical kernel code paths need regular audit and review, not just bug-fix maintenance. Code that landed in 2011 should not still carry a 15-year-old root exploit in 2026.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are managing Linux infrastructure and need help assessing your patch exposure.