
TL;DR
A use-after-free bug in the Linux kernel's real-time mutex implementation has existed since 2011. Researchers earned $92,337 from Google's kernelCTF for discovering and exploiting it.
A vulnerability called GhostLock (CVE-2026-43499) has been hiding in the Linux kernel for 15 years. The bug - a stack use-after-free in the real-time mutex (rtmutex) implementation - affects virtually every Linux distribution and earned its discoverers $92,337 from Google's kernelCTF competition.
The vulnerability was introduced in Linux 2.6.39-rc1 and fixed in Linux 7.1-rc1. If your system hasn't been patched, it's affected.
The bug lives in a function called remove_waiter(). Originally, this helper was designed for a task to clean up after itself when it stopped waiting on a mutex. The problem emerged when the Requeue-PI functionality started using this same function through rt_mutex_start_proxy_lock().
The core issue: when remove_waiter() clears the pi_blocked_on pointer, it targets the wrong task. The waiter object lives on the stack of a sleeping task, but the function clears the pointer on the requeuer instead of the actual waiter. This mismatch creates a dangling pointer.
Nebula Security's research team discovered the bug using their internal tool VEGA. They reported it on April 18, 2026, and it was fixed two days later on April 20. The public disclosure came on July 7.
The researchers achieved 97% stability for privilege escalation and container escape - no special privileges or unusual kernel configurations required. The exploit works with ordinary threading syscalls.
Here's the high-level attack chain:
-EDEADLKPR_SET_MM_MAP to place attacker-controlled bytes where the freed waiter structure livedinet6_protos through rtmutex rb-tree manipulation/proc/sys/kernel/core_patternThe researchers note this follows "the same shape as many other life-cycle bugs" - a helper function gets repurposed beyond its original design, and the assumptions it makes no longer hold.
Newsletter
Get the weekly deep dive
Tutorials on Claude Code, AI agents, and dev tools, delivered free every week.
From the archive
Jul 13, 2026 • 6 min read
Jul 13, 2026 • 9 min read
Jul 13, 2026 • 7 min read
Jul 12, 2026 • 9 min read
Any Linux kernel version from 2.6.39-rc1 through 7.1-rc1 with CONFIG_FUTEX_PI=y enabled is vulnerable. This covers essentially every mainstream distribution released in the last 15 years.
The researchers tested the exploit on three Android devices running versions 9, 13, and 16. Two boot-looped into recovery mode; the third powered off. A demo on supported Pixel devices modifies the wallpaper as proof of concept.
The Hacker News discussion is lively, with several threads worth noting.
On the discovery method: Some commenters are questioning whether "use after free" became common terminology because of LLMs, while others point out it's been standard security parlance for decades. The writing style of the research paper itself drew comparisons to Claude's output patterns.
On Linux security broadly: One commenter asked whether we "really need infosec companies now that a skid with Claude can find decades-old kernel privesc over a weekend." Others pushed back on Linux security in general, pointing to OpenBSD as an alternative for security-critical workloads.
On Android implications: Several developers are asking whether this could be used to unlock bootloaders on typically locked phones. Others wonder if SELinux provides any protection (the research suggests the exploit bypasses typical kernel protections).
On the severity: The $92,337 payout from Google's kernelCTF speaks to the severity. As one commenter put it after seeing the reward amount: "I'm all ears now."
The patch corrects remove_waiter() to clear pi_blocked_on on the actual waiter task rather than current. The fix passes the correct task context through the call chain and uses the waiter's task lock for synchronization.
If you're running Linux in production, check your kernel version and ensure you're on a patched release. The major distributions have all shipped updates.
Three takeaways from GhostLock:
Helper functions are risk magnets. When a function gets reused beyond its original scope, the assumptions it makes may no longer hold. The original remove_waiter() code was correct for its intended use case - the bug emerged from repurposing it.
Life-cycle bugs are subtle. The mismatch between which task owns the waiter object and which task is current during cleanup is exactly the kind of semantic confusion that static analysis struggles to catch. Code review and fuzzing remain essential.
Kernel security is everyone's problem. If you're running containers, VMs, or any workload where tenant isolation matters, kernel vulnerabilities like this represent a shared attack surface. Container escapes mean your isolation guarantees are only as good as your kernel patches.
The research paper at nebusec.ai includes full technical details, including the ION-related exploitation techniques that give the research its "IonStack" name.
Read next
Someone found an obfuscated bash script on a Uniqlo x Akamai t-shirt and decoded it. Here's what they found - and what HN thinks about whether it was AI-generated.
5 min readFilippo Valsorda argues that LLMs have ended the era of treating security researchers with kid gloves. When anyone can discover vulnerabilities with an AI, the old coordinated disclosure model breaks down.
7 min readOpen-source tool gives Claude Code, Codex, and other agents their own isolated Linux VM on your machine - network firewall included, no cloud account required.
6 min readTechnical content at the intersection of AI and development. Building with AI agents, Claude Code, and modern dev tools - then showing you exactly how it works.
Private local AI chatbot by Nomic. 250K+ monthly users, 65K GitHub stars. LocalDocs feature lets you chat with your own...
View ToolTerminal emulator built in Zig with platform-native UI and GPU acceleration. 2ms key-to-screen latency. Metal on macOS,...
View ToolOpen-source AI agent built in Rust, now governed by the Agentic AI Foundation at the Linux Foundation. Desktop app, CLI,...
View ToolOpen-source cloud sandboxes for AI agents. Isolated environments that start in under 200ms, run code in Python, JavaScri...
View ToolHold-to-record voice input on macOS, Linux, and Windows.
Claude CodeFilesystem and network isolation for Bash tool calls on Linux and macOS.
Claude CodeA complete, citation-backed Claude Code course with setup, prompting systems, MCP, CI, security, cost controls, and capstone workflows.
ai-development
Someone found an obfuscated bash script on a Uniqlo x Akamai t-shirt and decoded it. Here's what they found - and what H...

Open-source tool gives Claude Code, Codex, and other agents their own isolated Linux VM on your machine - network firewa...

A security researcher intercepted Grok Build's network traffic and found it uploads entire repositories - including .env...

A new experimental technology encodes messages in video using motion-based steganography, exploiting how AI models proce...

Security researchers discovered a prompt injection vulnerability in GitHub's Agentic Workflows that allows attackers to...

Flipper Devices announces their firmware hit 1.0 stability and outlines a new community contribution model - while HN de...

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.