A 15-year-old Linux kernel bug just got a public, fully working root exploit. On July 7, 2026, Nebula Security disclosed GhostLock CVE-2026-43499 — a use-after-free flaw in the kernel’s futex priority-inheritance locking code. Their exploit reaches root from an unprivileged process in about five seconds at 97 percent reliability. It also escapes containers, turning a single compromised workload into full host compromise. The vulnerable code has shipped by default in every mainstream Linux distribution since 2011 — roughly 15 years of undetected exposure. Patched kernels are now in production for AlmaLinux, RHEL, and Debian 13. Ubuntu 22.04 LTS, 24.04 LTS, and Debian 11 and 12 are still listed as vulnerable or in progress. This post covers exactly what the bug is, which systems are exposed, how to verify whether your kernel is patched, and what to do right now.

What Is GhostLock CVE-2026-43499?
The bug lives in kernel/locking/rtmutex.c, specifically in the futex priority-inheritance requeue path. To understand why this matters, a brief explanation of the affected mechanism helps. A futex (fast userspace mutex) is the kernel’s standard locking primitive, optimized so kernel involvement is only needed when a thread actually has to wait. Priority inheritance is a feature that prevents high-priority threads from being blocked indefinitely by low-priority ones — when a high-priority thread waits on a lock held by a low-priority thread, the kernel temporarily boosts the low-priority thread’s scheduling priority so it can release the lock quickly.
The bug is in the cleanup helper remove_waiter(). Specifically, that function assumes the thread being cleaned up always belongs to the currently executing task. In the FUTEX_CMP_REQUEUE_PI requeue path, however, the kernel sometimes unwinds on behalf of a different, sleeping thread when it detects a deadlock. Because remove_waiter() makes the wrong assumption in that case, it clears the wrong thread’s bookkeeping — leaving a live thread pointing at already-freed kernel stack memory. That freed memory is then reusable by an attacker, giving them a controlled write into the kernel’s priority-inheritance state, which chains into arbitrary kernel read/write, control-flow hijack, and root.
According to The Hacker News, Nebula Security’s VEGA automated analysis tool found the flaw, and the team built a full exploit chain they call IonStack: a Firefox JavaScript engine flaw (CVE-2026-10702) provides initial code execution inside the browser, and GhostLock carries it from there to host root. Google’s kernelCTF program awarded the team 92,337 dollars for the chain.

Which Systems Are Affected?
The only kernel prerequisite is CONFIG_FUTEX_PI=y, the priority-inheritance futex option. Because this is enabled by default on every major distribution, and because the vulnerable code entered the kernel in May 2011, the exposure covers essentially every Linux kernel shipped in the last 15 years. Here is the current patch status as of July 11, 2026:
| Distribution | Status | Patched Version |
|---|---|---|
| AlmaLinux 8 | Patched (production) | kernel-4.18.0-553.141.2.el8_10 |
| AlmaLinux 9 | Patched (production) | kernel-5.14.0-687.24.1.el9_8 |
| AlmaLinux 10 | Patched (production) | kernel-6.12.0-211.32.1.el10_2 |
| RHEL 8 / 9 | Patched | See RHSA advisory |
| Debian 13 (Trixie) | Patched | kernel 6.12.95-1 |
| Debian 11 / 12 | In progress | Watch debian.org/security |
| Ubuntu 26.04 LTS | Patched | Check ubuntu.com/security |
| Ubuntu 22.04 / 24.04 LTS | Vulnerable / in progress | Watch ubuntu.com/security/CVE-2026-43499 |
| Fedora 44 / 45 | Patched | kernel 7.0.14-201.fc44 |
| KernelCare livepatch | Available (RHEL/Alma 9) | K20260709_03 and later |
One important caveat: the original upstream fix (commit 3bfdc63936dd) introduced a separate crash bug tracked as CVE-2026-53166. Distros are shipping both fixes together. On Debian 12, for example, the GhostLock fix is in kernel 6.12.95-1 but CVE-2026-53166 had not yet landed as of the disclosure date — so even patched systems should track the follow-up advisory.
Check If Your System Is Patched Right Now
Run these checks on every Linux server you manage before doing anything else:
# Step 1: Check kernel version
uname -r
# Step 2: Cross-reference against patched versions above
# AlmaLinux / RHEL -- check RPM changelog for CVE
rpm -q --changelog kernel | grep -i CVE-2026-43499 | head -3
# Ubuntu / Debian -- check apt changelog
apt-cache show linux-image-$(uname -r) 2>/dev/null | grep -i CVE-2026-43499
# Fedora
rpm -q --changelog kernel | grep -i CVE-2026-43499 | head -3
# KernelCare livepatch -- confirm patch is applied
kcarectl --patch-info 2>/dev/null | grep CVE-2026-43499
# Step 3: Confirm CONFIG_FUTEX_PI is enabled (it is on virtually every system)
grep CONFIG_FUTEX_PI /boot/config-$(uname -r) 2>/dev/null
# CONFIG_FUTEX_PI=y means the attack path is present in this kernel
If your kernel version is below the patched threshold for your distribution and you see CONFIG_FUTEX_PI=y, treat the system as actively vulnerable. Apply the patch or the interim mitigation below before the end of today.
Apply the Kernel Patch Now
Patched kernels are in production for AlmaLinux, RHEL, Fedora, and Debian 13. Update and reboot — there is no kernel module to unload and no sysctl to flip that fully closes this one without a kernel restart. Here is the command for each distro:
AlmaLinux 8 / 9 / 10 and RHEL 8 / 9
dnf clean metadata && dnf upgrade kernel -y
reboot
uname -r
# Confirm CVE is in changelog
rpm -q --changelog kernel | grep CVE-2026-43499 | head -3
Fedora 44 / 45
dnf upgrade --refresh -y && reboot
uname -r
Debian 13 (Trixie)
apt update && apt full-upgrade -y && reboot
uname -r
Debian 11 / 12 and Ubuntu 22.04 / 24.04 (patch not yet in stable)
# Update now to get the latest available build -- patch may have landed
apt update && apt upgrade linux-image-generic -y
reboot
# After reboot, verify if the fix is included
apt-cache show linux-image-$(uname -r) 2>/dev/null | grep -i ghostlock
apt-cache show linux-image-$(uname -r) 2>/dev/null | grep -i CVE-2026-43499
# If not patched yet, subscribe to the security tracker:
# https://ubuntu.com/security/CVE-2026-43499
# https://security-tracker.debian.org/tracker/CVE-2026-43499

Interim Mitigation While You Wait for a Patch Window
Unlike many recent kernel LPEs, GhostLock has no clean sysctl workaround — you cannot disable CONFIG_FUTEX_PI on a running kernel. The only viable interim options are a seccomp filter for container environments and KernelCare for live patching without a reboot.
Option 1: KernelCare Livepatch (no reboot required)
# Check if KernelCare is installed
kcarectl --version 2>/dev/null || echo 'KernelCare not installed'
# If installed, apply the GhostLock patch immediately
kcarectl --update
# Verify the patch is applied
kcarectl --patch-info | grep CVE-2026-43499
# Should return: CVE-2026-43499 applied
Option 2: Seccomp Filter for Containers (blocks the trigger path)
Inside containers, a seccomp filter that blocks the specific futex PI operations used to trigger the bug closes the container-escape vector, at the cost of breaking workloads that use priority-inheritance mutexes:
# Add to your Docker run command or Compose securityContext:
# --security-opt seccomp=/path/to/ghostlock-seccomp.json
# Create a seccomp profile that blocks futex PI operations
cat > /etc/docker/ghostlock-seccomp.json << 'SCEOF'
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"names": ["futex"],
"action": "SCMP_ACT_ERRNO",
"args": [
{"index": 1, "value": 13, "op": "SCMP_CMP_EQ"},
{"index": 1, "value": 14, "op": "SCMP_CMP_EQ"}
]
}
]
}
SCEOF
# Apply to new containers
docker run --security-opt seccomp=/etc/docker/ghostlock-seccomp.json your-image
# Warning: this breaks PTHREAD_PRIO_INHERIT mutexes in the container
# Test in non-production before applying to critical workloads
Option 3: Restrict Local User Access
Since GhostLock requires local code execution, restricting which accounts can log in or run processes on multi-tenant servers reduces the pool of potential attackers while waiting for the patch:
# Review which non-root users have active shells
grep -v '/sbin/nologin\|/bin/false' /etc/passwd | awk -F: '$3 >= 1000 {print $1}'
# Disable interactive shells for service accounts that don't need them
usermod -s /sbin/nologin username
# Review sudo access -- no account should have NOPASSWD on a vulnerable system
grep -r NOPASSWD /etc/sudoers /etc/sudoers.d/ 2>/dev/null

Container Environments Need Immediate Attention
GhostLock's container escape capability makes it especially dangerous for Kubernetes clusters, Docker hosts, and any platform that runs multi-tenant workloads. Because containers share the host kernel, a compromised pod on a vulnerable node can escape to the host and gain root — then pivot to every other container on the machine. Check every worker node kernel individually:
# Kubernetes -- check kernel version on every worker node
kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.nodeInfo.kernelVersion}{"\n"}{end}'
# Cross-reference each node kernel against patched versions above
# A node running 5.14.0-427 is NOT patched -- it needs 5.14.0-687.24.1 or higher
# Check if containers are running privileged (highest risk)
docker ps -q | xargs -I{} docker inspect {} \
--format '{{.Name}}: privileged={{.HostConfig.Privileged}}' 2>/dev/null | grep true
# Kubernetes -- check for privileged pods
kubectl get pods --all-namespaces -o json 2>/dev/null | \
python3 -c "
import json,sys
data=json.load(sys.stdin)
for item in data.get('items',[]):
ns=item['metadata']['namespace']
name=item['metadata']['name']
for c in item['spec'].get('containers',[]):
sc=c.get('securityContext',{})
if sc.get('privileged'):print(ns+'/'+name+'/'+c['name']+': PRIVILEGED')
"
Drain and patch any worker node running an unpatched kernel before re-admitting workloads. The same procedure applies as for any kernel update — drain, patch, reboot, uncordon. Do not skip the uncordon verification step.
Verify the Patch After Rebooting
After rebooting into the patched kernel, confirm the fix is active before removing any interim mitigations. Two kernel build options also reduce exploitability even on unpatched kernels — worth checking as additional context:
# Confirm running kernel version
uname -r
# AlmaLinux / RHEL: confirm CVE is in changelog
rpm -q --changelog kernel | grep CVE-2026-43499
# Ubuntu / Debian: confirm from apt
apt-cache show linux-image-$(uname -r) 2>/dev/null | grep -i CVE-2026-43499
# Check if RANDOMIZE_KSTACK_OFFSET is enabled (mitigates but does not fix)
grep CONFIG_RANDOMIZE_KSTACK_OFFSET /boot/config-$(uname -r) 2>/dev/null
# Check if STATIC_USERMODE_HELPER is enabled (also a mitigation)
grep CONFIG_STATIC_USERMODE_HELPER /boot/config-$(uname -r) 2>/dev/null
# After confirming patch, remove seccomp workaround if applied
# Restart containers with default seccomp profile
docker restart your-container-name

GhostLock in Context: The 2026 Linux LPE Wave
GhostLock is the latest in a remarkable series of Linux kernel local privilege escalations disclosed in 2026: Copy Fail (April), Dirty Frag (May), CIFSwitch (June), CVE-2026-23111 nf_tables (June), and now GhostLock (July). Each exploits a different subsystem. Together they share a critical detail — several were found by automated analysis tools, not by manual code review. VEGA found GhostLock. AI tools found others. This pattern is what makes the 2026 wave structurally different from previous years: the discovery rate is accelerating faster than the patch rate for many organizations.
The practical response is the same each time: apply the no-reboot mitigation first if one is available, then schedule the kernel update and reboot as soon as possible. Our Linux server hardening checklist covers standing configurations that reduce exposure to this entire class of vulnerability — disabling unprivileged user namespaces, enforcing SELinux or AppArmor, and restricting local user access on multi-tenant systems. If you have not yet patched CVE-2026-46333 ssh-keysign-pwn from May, a single kernel update this week closes both that and GhostLock on most distributions. The AlmaLinux security blog has rolling patch status for every AlmaLinux release, updated as production packages land.
Conclusion
The GhostLock CVE-2026-43499 Linux fix is available now for AlmaLinux 8, 9, and 10, RHEL 8 and 9, Fedora, and Debian 13. Ubuntu 22.04 and 24.04 LTS and Debian 11 and 12 patches are still rolling out — update now to get the latest available build and track your distribution's CVE page daily. For container hosts specifically, check every Kubernetes worker node kernel individually. A pod on an unpatched node can escape to the host and compromise every other workload on that machine. If a reboot window is not immediately available, deploy the KernelCare livepatch or the seccomp filter for containers as interim protection. Do not wait on this one — a reliable, public, 97 percent successful root exploit in the wild changes the risk calculation entirely. Schedule the kernel update today.