The Hacker News

15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros

Discovery and Impact

Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched.

The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network access to exploit.

Affected Systems

The vulnerability affects all major Linux distributions, including:

  • Ubuntu (all versions since 2011)
  • Debian (all versions since 2011)
  • Red Hat Enterprise Linux / CentOS
  • Fedora
  • SUSE Linux Enterprise Server
  • Arch Linux
  • Gentoo

Technical Details

GhostLock resides in the kernel's memory management subsystem, specifically within the mmap and mremap system call paths. The bug allows an unprivileged user to:

  • Escalate privileges from a regular user account to root
  • Break out of container environments
  • Execute arbitrary code with kernel-level permissions

The exploit requires only a local user account on the target system. No special capabilities, groups, or system configurations are needed.

Mitigation

System administrators should apply the kernel patch immediately. The fix is available in the following kernel versions:

  • Linux 6.12.3 (stable)
  • Linux 6.6.67 (LTS)
  • Linux 6.1.124 (LTS)
  • Linux 5.15.176 (LTS)
  • Linux 5.10.234 (LTS)
  • Linux 5.4.289 (LTS)

Detection

Nebula Security has released a detection script that checks for the vulnerable code path. The script runs without elevated privileges and reports whether the system is patched or vulnerable.

Timeline

The vulnerability timeline is as follows:

  • 2011: Vulnerable code introduced in Linux kernel 3.0
  • 2026-07-01: Nebula Security privately discloses the flaw to the Linux kernel security team
  • 2026-07-03: Patch developed and tested
  • 2026-07-05: Coordinated public disclosure and patch release
  • 2026-07-06: CVE-2026-43499 assigned

Comments

No comments yet. Start the discussion.