Need Reliable Internet?

Business Fibre • Wireless • Hosting • VoIP

Get Quote

Researchers at Nebula Security have identified GhostLock, a Linux kernel vulnerability tracked as CVE-2026-43499 that has been present since Linux 2.6.39 in 2011.

Need Reliable Internet?

Business Fibre • Wireless • Hosting • VoIP

Get Quote

The flaw allows attackers with local access to escalate privileges to root on nearly all major Linux distributions released since that time. Linux kernel version 7.1 includes a fix for the issue, but currently, the only practical precaution is to install the updated kernel.

The vulnerability was discovered by Nebula Security’s AI agent VEGA, and Google awarded a $92,337 bug bounty through its kernelCTF program. During testing, the exploit worked successfully 97 percent of the time.

What GhostLock Does and Which Linux Systems Are Affected

GhostLock is a local privilege escalation vulnerability that allows an attacker with access to a system to potentially gain full root privileges and take complete control.

The flaw stems from a helper function within the Linux kernel’s scheduling system, responsible for cleaning up tasks after they finish. When a deadlock occurs and a rollback is initiated, the function can free memory while another task still holds a reference to it. This situation creates a use-after-free condition that attackers can exploit.

The vulnerability is present in Linux kernel versions from 2.6.39, released in 2011, up to Linux 7.0, and affects nearly all major Linux distributions released since 2011. It impacts both server and desktop Linux systems, particularly those where an attacker has already established some level of local access.

Given its 15-year history, GhostLock has been a persistent issue, affecting the vast majority of Linux systems deployed worldwide over that period.

Why Only a Patched Kernel Fixes It and What Users Should Do

There is currently no practical workaround or mitigation for GhostLock. Nebula Security has stated that the only reliable solution is installing the patched kernel.

Users and administrators of affected systems should verify their current kernel version by running uname -r on the affected device, then update to Linux 7.1 or a newer version through the distribution’s standard package management system.

After updating, a system reboot is necessary to activate the new kernel, and you should verify that the update was successful by checking uname -r again post-reboot.

For enterprise Linux distributions such as Red Hat Enterprise Linux, SUSE Linux Enterprise, and Ubuntu LTS, vendors are expected to backport the fix into their supported versions. Users on these distributions should stay alert for kernel updates via their usual update channels.

For distributions that use the mainline kernel directly, installing a kernel from the 7.1 series or later will resolve the issue.

GhostLock requires local access for exploitation, which serves as a mitigating factor. An attacker must first gain some level of access to the system before using GhostLock to escalate privileges.

Common ways to gain initial access include compromised user accounts through phishing or credential theft, malicious software installed by the user, shared systems with multiple users, exploits of other vulnerabilities that allow code execution, or physical access to unattended devices.

Because GhostLock has a high success rate of 97 percent, once an attacker has any form of local access, the tool offers a nearly certain path to root privileges.

How AI Helped Find GhostLock and Where the Fix Is Available

VEGA, an AI bug-hunting and security agent developed by Nebula Security, uncovered a flaw. Nebula states that VEGA can identify vulnerabilities more quickly than human researchers.

This discovery highlights a broader shift in vulnerability research. Other recent examples include Anthropic’s Mythos model, which found vulnerabilities in highly sensitive U.S. government systems during a testing exercise in June 2026.

Senator Mark Warner reported that National Security Agency chief Joshua Rudd said Mythos “broke into almost all of our classified systems, not in weeks, but in hours.”

The pattern suggests that AI-assisted vulnerability discovery is becoming an important part of both defensive and offensive security efforts. Older code that has gone unexamined for years, such as the 15-year-old function behind GhostLock, is likely to receive renewed attention as AI tools grow more capable.

For Linux system administrators, it is recommended to prioritize kernel updates on production systems, especially those with multiple users or shared access:

  1. Verify that update paths are available through the current distribution’s package management system.
  2. Review recent activity on affected systems for signs of prior exploitation.
  3. Consider whether local account access controls need tightening.

For desktop Linux users, update to the latest kernel version available through the distribution’s standard update mechanism:

  1. Reboot after installing kernel updates to activate the new version.
  2. Be aware that some distributions delay major kernel version changes; verify that the specific fix has been backported into the installed kernel.

For cloud infrastructure users, verify that provider images have been updated to include the patched kernel:

  • Rebuild virtual machines from updated base images if necessary.
  • Consider running vulnerability scans against production systems to identify any that remain unpatched.

The Nebula Security disclosure and Google’s acknowledgment of the kernelCTF program offer reference details that security teams can use to verify their systems. Checking the kernel version remains the most straightforward way to confirm whether GhostLock has been addressed.

In addition, detection methods for local privilege escalation, such as endpoint monitoring, audit logs, and behavioral analysis, are the primary tools for identifying potential exploitation.

GhostLock is part of an expanding list of long-standing Linux kernel vulnerabilities discovered in recent years. Older code, developed before modern security review practices, often contains subtle bugs that may only surface years later. The combination of AI-assisted discovery and the extensive Linux kernel code base suggests that more similar findings are likely.

Linus Torvalds recently expressed frustration with AI-generated bug reports, especially those highlighting kernel security issues without providing clear exploitation paths.

In contrast, GhostLock is different: it includes a working exploit, a high success rate, and a significant bounty, which support the validity of the finding.

Linux 7.1 with the GhostLock patch is now available through mainline kernel repositories, distribution package management systems for those who have incorporated the fix, and updated cloud images from major infrastructure providers. Users should install the update as soon as their distribution offers a new kernel version, as there is no interim mitigation available while waiting.

Thank you for being a Ghacks reader. The post AI Agent Discovers 15-Year-Old Linux Kernel Privilege Escalation Bug Named GhostLock appeared first on gHacks.

Need Reliable Internet?

Business Fibre • Wireless • Hosting • VoIP

Get Quote