← All articles

15-year-old GhostLock flaw gives any Linux user root and escapes containers

Researchers at Nebula Security disclosed GhostLock, a Linux kernel flaw that lets any logged-in user gain full root on an unpatched machine, and it also escapes containers. Tracked as CVE-2026-43499, the bug has shipped by default in essentially every mainstream distribution since 2011 and needs no special permissions or network access; ordinary threading calls from any local program are enough. Nebula built a working exploit it says is 97 percent reliable and published the code, though no in-the-wild use is known yet. There is no full workaround, patch availability is uneven across distributions, and one earlier fix introduced a separate crash bug, so confirm the fixed package version.

Check
Check Linux systems, especially shared machines, cloud servers, containers, and CI runners, against your distribution's GhostLock advisory, and confirm the fixed package version is installed rather than assuming a patch is present.
Affected
Almost all Linux systems on unpatched kernels (CVE-2026-43499), since the flawed code has shipped by default since 2011; any local user can gain root and escape containers, with public exploit code available.
Fix
Apply your distribution's kernel update once the final version is available, prioritizing containers, CI runners, and multi-tenant hosts. The build options RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER make exploitation harder but are not fixes.