AI Discovers 15-Year-Old Linux Root Bug Missed by Everyone

Original: AI Found a Root Bug in Linux That Everyone Missed for 15 Years

Why This Matters

Demonstrates AI's growing capability to find critical, long-dormant vulnerabilities in foundational open-source infrastructure.

Nebula Security's AI tool VEGA uncovered GhostLock (CVE-2026-43499), a use-after-free Linux kernel bug dormant for 15 years that allows any logged-in user to gain root access. Present in all major distributions since 2011, the exploit was 97% reliable in testing and earned a $92,337 Google kernelCTF bounty.

Nebula Security has published exploit code for GhostLock (CVE-2026-43499), a use-after-free vulnerability in the Linux kernel that went undetected for 15 years. The flaw, present in virtually every major Linux distribution since 2011, allows any logged-in user to gain root access without special permissions or network connectivity. Nebula's exploit can also escape containers and demonstrated 97% reliability during testing, earning a $92,337 payout via Google's kernelCTF bug bounty program. The bug was patched in April 2026, but patch availability remains inconsistent — Ubuntu listed versions 24.04, 22.04, and 20.04 LTS as still vulnerable or in progress as of early July. Crucially, the vulnerability was discovered using VEGA, Nebula's AI-powered bug-hunting tool. GhostLock is part of a broader 2026 trend in which automated tools have surfaced multiple Linux privilege-escalation flaws by re-analyzing older kernel code that had received little human review in years. Security teams are advised to verify patched packages rather than assume updates have been applied.

Source

wired.com — Read original →