Researchers have uncovered a Linux kernel vulnerability called GhostLock that remained hidden for 15 years. It allows attackers with local access to gain root privileges on virtually every major Linux distribution released since 2011.
GhostLock, tracked as CVE-2026-43499, was introduced in Linux 2.6.39 and remained undiscovered for more than 15 years. The vulnerability was finally fixed in Linux 7.1.
The flaw allows a local attacker to gain full root privileges, effectively taking complete control of a compromised system.
The issue stems from a bug in a helper function within the Linux kernel scheduler responsible for cleaning up completed tasks. Under normal conditions, it correctly frees memory. However, during a deadlock rollback, it can mistakenly release memory while another task still holds a reference to it.
This results in a classic use-after-free vulnerability, allowing an attacker to manipulate the freed memory before it is reused by the system. During testing, researchers successfully exploited the flaw to achieve local privilege escalation to root.
The exploit succeeded in approximately 97% of test cases. The researchers also received a $92,337 reward through Google’s kernelCTF bug bounty program for discovering the vulnerability.
At present, there is no practical mitigation for GhostLock other than updating the system. Installing a kernel version that includes the fix is the only complete solution.
GhostLock was discovered using VEGA, an AI-powered vulnerability research and security agent developed by Nebula Security. According to the company, VEGA is capable of identifying security flaws significantly faster than human researchers.