Skip to content
Tech News
← Back to articles

GhostLock, a stack-UAF that has existed in ALL Linux distributions for 15 years

read original more articles

IonStack part II: GhostLock, a stack-UAF that has existed in ALL Linux distributions for 15 years

IonStack part II: GhostLock, a stack-UAF that has existed in ALL Linux distributions for 15 years

IonStack part II: GhostLock, a stack-UAF that has existed in ALL Linux distributions for 15 years

Need something less technical? Take a quick look at our bug summary. Read the bug summary →

GhostLock (CVE-2026-43499) is a Linux kernel vulnerability found by VEGA that exists in every major distribution since 2011. Triggering the bug does not require any special kernel config or privilege. By turning it into a 97% stable privilege escalation and container escape, Google has rewarded us $92,337 in kernelCTF. This writeup covers the technical details of the exploit.

Vulnerability Summary

GhostLock (CVE-2026-43499) lets an unprivileged local attacker:

Get a dangling kernel pointer to kernel stack memory with only regular threading syscalls.

Write a pointer to an almost arbitrary address.

Hijack a function table to get control flow hijack and eventually get root access.

... continue reading