| GhostLock, a stack-UAF that has existed in all Linux distributions for 15 years(nebusec.ai) | |
| 332 points by ranger_danger 4 days ago | 147 comments | |
tl;dr: Researchers at VEGA disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel stack use-after-free in the rtmutex/futex PI code, where `remove_waiter()` incorrectly clears `current->pi_blocked_on` instead of the actual waiter's, leaving a dangling pointer to a freed stack frame. The bug affects kernels 2.6.39 through 7.1-rc1 with CONFIG_FUTEX_PI=y, requires no privileges, and was exploited into a 97%-reliable root/container escape by reclaiming the stack via `prctl(PR_SET_MM_MAP)`, forging an rt_mutex_waiter, overwriting `inet6_protos[IPPROTO_UDP]`, and pivoting via the CPU entry area to flip `core_pattern` permissions. Google awarded $92,337 via kernelCTF. | |
HN Discussion:
| |