CVE-2026-43499 “GhostLock”: 15-Year-Old Linux Kernel Flaw Gives Local Users Root Access and Container Escape — Public PoC Released

CVE-2026-43499 “GhostLock”: 15-Year-Old Linux Kernel Flaw Gives Local Users Root Access and Container Escape — Public PoC Released

CVE: CVE-2026-43499 | CVSS 3.1: 7.8 (High) | Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE: CWE-416 (Use After Free) | Vendor: Linux Kernel | Product: rt_mutex/futex | Affected: Most Linux distributions since 2011 | Discovered by: Nebula Security (2,337 via Google kernelCTF)


What Is the Vulnerability

CVE-2026-43499, dubbed GhostLock, is a 15-year-old use-after-free vulnerability in the Linux kernel rt_mutex code, triggered via the futex subsystem. The vulnerable code shipped by default in essentially every mainstream Linux distribution since 2011 — approximately 15 years. The flaw requires no special permissions, no unusual settings, and no network access. Ordinary threading calls from any local program are enough to trigger it. Nebula Security turned it into a working root exploit that is 97% reliable in their testing. Critically, the same flaw also enables container escape — a compromised container can break out to the host kernel. Google awarded the team 2,337 through its kernelCTF bug bounty program. Working exploit code has been published by the researchers.


Versions Affected

  • Linux kernel — most mainstream distributions since 2011

Affects Linux servers, desktops, cloud instances, container hosts, and any system running a vulnerable kernel. The futex subsystem is a core component used by virtually all threaded applications.


Exploited?

No confirmed exploitation in the wild at time of publication. However, Nebula Security has published working exploit code. Given the ease of exploitation (any local user, 97% reliability, public exploit code available), weaponisation by threat actors is expected imminently. This is a race condition: organisations must patch before attackers incorporate the exploit into their toolkits.


Fix

Kernel patches are being distributed through Linux distribution update channels.

  • Primary fix: Apply the latest kernel updates from your Linux distribution.
  • Workaround: Restrict local user access to trusted users only. Container environments should ensure seccomp profiles block the futex operations that trigger the vulnerability.

Recommendations

  • Patch immediately: Public exploit code is available. Prioritise multi-tenant servers, container hosts, and any system where unprivileged users have shell access.
  • Container environments: The container escape vector makes this especially dangerous for Kubernetes and Docker hosts.
  • Monitor for exploitation: Review kernel logs for signs of kernel-level privilege escalation attempts.
  • Cloud providers: Apply hypervisor-level kernel updates to protect customer workloads.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 8, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!