A critical vulnerability named GhostLock (CVE-2026-43499) has been discovered in the Linux kernel, affecting all major distributions for over 15 years. This flaw, introduced in version 2.6.39 and fixed in version 7.1, allows unprivileged local attackers to escalate privileges and escape containers with high stability. The vulnerability stems from a misuse of the `remove_waiter()` function, which incorrectly clears the `pi_blocked_on` flag on the wrong task during a proxy requeue operation, leading to a dangling kernel pointer. Google has awarded a $92,337 bounty for the discovery and successful exploitation of this bug. AI
RANK_REASON Discovery of a long-standing, critical vulnerability in a core operating system component. [lever_c_demoted from research: ic=1 ai=0.1]
Read on Hacker News — AI stories ≥50 points →
- CVE-2026-43499
- FUTEX_CMP_REQUEUE_PI
- FUTEX_WAIT_REQUEUE_PI
- GhostLock
- kernelCTF
- Linux
- Linux kernel
- rtmutex
- VEGA
AI-generated summary · Google Gemini · from 1 sources. How we write summaries →