15-year-old GhostLock flaw gives any Linux user root and escapes containers
Researchers at Nebula Security disclosed GhostLock, a Linux kernel flaw that lets any logged-in user gain full root on an unpatched machine, and it also escapes containers. Tracked as CVE-2026-43499, the bug has shipped by default in essentially every mainstream distribution since 2011 and needs no special permissions or network access; ordinary threading calls from any local program are enough. Nebula built a working exploit it says is 97 percent reliable and published the code, though no in-the-wild use is known yet. There is no full workaround, patch availability is uneven across distributions, and one earlier fix introduced a separate crash bug, so confirm the fixed package version.
- Check
- Check Linux systems, especially shared machines, cloud servers, containers, and CI runners, against your distribution's GhostLock advisory, and confirm the fixed package version is installed rather than assuming a patch is present.
- Affected
- Almost all Linux systems on unpatched kernels (CVE-2026-43499), since the flawed code has shipped by default since 2011; any local user can gain root and escape containers, with public exploit code available.
- Fix
- Apply your distribution's kernel update once the final version is available, prioritizing containers, CI runners, and multi-tenant hosts. The build options RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER make exploitation harder but are not fixes.