IonStack part II: GhostLock, a stack-UAF that has existed in ALL Linux distributions for 15 years | Nebula Security
Research<br>Vulnerability Research Bug List<br>Products<br>Vega<br>Lab<br>Lab<br>Pricing<br>Plans & pricing
Speak to Our Experts Toggle theme
Overview
Vulnerability Summary<br>Vulnerability Analysis<br>Overview<br>Root cause<br>Triggering the stack-UAF<br>The initial primitive from GhostLock<br>Exploit Details<br>Exploit Summary<br>Background of used tricks<br>Prefetch ASLR Leak<br>CEA spray and randomization bypass<br>Reusing the stack: forging the waiter with PR_SET_MM_MAP<br>From fake waiter to one controlled (limited) write<br>Use inet6_protos[IPPROTO_UDP] to help<br>The pivot and DirtyMode<br>Appendix<br>bigger ROP or NPerm<br>Mitigation<br>The patch<br>RANDOMIZE_KSTACK_OFFSET<br>STATIC_USERMODE_HELPER<br>Timeline<br>Disclosure policy
July 2026<br>linux<br>IonStack part II: GhostLock, a stack-UAF that has existed in ALL Linux distributions for 15 years<br>Nebula Security
July 7, 2026<br>17 min read
svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-muted text-foreground [a&]:hover:bg-muted/90"> linux svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-muted text-foreground [a&]:hover:bg-muted/90"> CVE-2026-43499 svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-muted text-foreground [a&]:hover:bg-muted/90"> GhostLock svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-muted text-foreground [a&]:hover:bg-muted/90"> vulnerability svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-muted text-foreground [a&]:hover:bg-muted/90"> ionstack
Table of ContentsVulnerability Summary<br>Vulnerability Analysis<br>Overview<br>Root cause<br>Triggering the stack-UAF<br>The initial primitive from GhostLock<br>Exploit Details<br>Exploit Summary<br>Background of used tricks<br>Prefetch ASLR Leak<br>CEA spray and randomization bypass<br>Reusing the stack: forging the waiter with PR_SET_MM_MAP<br>From fake waiter to one controlled (limited) write<br>Use inet6_protos[IPPROTO_UDP] to help<br>The pivot and DirtyMode<br>Appendix<br>bigger ROP or NPerm<br>Mitigation<br>The patch<br>RANDOMIZE_KSTACK_OFFSET<br>STATIC_USERMODE_HELPER<br>Timeline<br>Disclosure policy
Need something less technical? Take a quick look at our bug summary.
Read the bug summary →
GhostLock (CVE-2026-43499) is a Linux kernel vulnerability found by VEGA that exists in every major distribution since 2011. Triggering the bug does not require any special kernel config or privilege. By turning it into a 97% stable privilege escalation and container escape, Google has rewarded us $92,337 in kernelCTF. This writeup covers the technical details of the exploit.
Vulnerability Summary
GhostLock (CVE-2026-43499) lets an unprivileged local attacker:
Get a dangling kernel pointer to kernel stack memory with only regular threading syscalls.
Write a pointer to an almost arbitrary address.
Hijack a function table to get control flow hijack and eventually get root access.
GhostLock was introduced in Linux 2.6.39 and fixed in Linux 7.1. It has existed in the Linux kernel for more than 15 years.<br>Every Linux distribution without the patch is affected and should consider upgrading to the latest LTS version.
Your browser does not support the video tag.
Vulnerability Analysis
I would like to see the exploit strategy directly Overview<br>GhostLock was introduced with the rtmutex rework in 8161239a8bcc (“rtmutex: Simplify PI algorithm and make highest prio task get lock”), and sat untouched for about fifteen years until the April 2026 fix in 3bfdc63936dd (“rtmutex: Use waiter::task instead of current in remove_waiter()”). The affected range is v2.6.39-rc1 to v7.1-rc1, with CONFIG_FUTEX_PI=y the only requirement and no capabilities or user namespaces needed.<br>remove_waiter() in kernel/locking/rtmutex.c clears current->pi_blocked_on. That is correct on the normal slow path, where current is the task that owns the waiter....