GhostLock: 15-Year Linux Kernel Stack-UAF Vulnerability Disclosed
Original: GhostLock, a stack-UAF that has existed in all Linux distributions for 15 years
Why This Matters
A 15-year-old, no-privilege Linux kernel UAF with a near-perfect exploit rate highlights systemic kernel security gaps across all major distributions.
Nebula Security's VEGA Lab disclosed CVE-2026-43499 ('GhostLock'), a Linux kernel stack use-after-free bug present in all major distributions since 2011. The flaw requires no special privileges or kernel config to trigger, and was exploited into a 97%-stable privilege escalation and container escape, earning $92,337 from Google's kernelCTF program.
Nebula Security Research published the second installment of its IonStack series, detailing GhostLock (CVE-2026-43499), a stack use-after-free (UAF) vulnerability in the Linux kernel that has existed across all major distributions since 2011 — a span of approximately 15 years. The bug was discovered by Nebula's VEGA Lab and requires no elevated privileges or special kernel configuration to trigger, making its attack surface broad.
The research team developed a working exploit that achieves privilege escalation and container escape with a reported 97% stability rate. Google rewarded the team $92,337 through its kernelCTF bug bounty program in recognition of the exploit's quality and impact.
The writeup covers the full exploit chain, including: triggering the stack-UAF, a prefetch-based ASLR leak, CEA spray techniques to bypass kernel address space randomization, stack reuse via PR_SET_MM_MAP to forge a waiter structure, leveraging inet6_protos[IPPROTO_UDP] for a controlled write primitive, and a final ROP pivot using 'DirtyMode.' Mitigations discussed include RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER kernel options, along with an official patch. The full technical disclosure follows responsible disclosure policy, with a timeline included in the report.