PT-2026-42456 · Linux · Linux Kernel

Tglx

·

Published

2026-05-21

·

Updated

2026-07-10

·

CVE-2026-43499

CVSS v4.0

8.5

High

VectorAV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Linux kernel versions 2.6.39 through 7.0
Description A use-after-free (UAF) issue, known as GhostLock, exists in the rtmutex component of the Linux kernel. The flaw occurs within the remove waiter() function, which is used by slowlock paths and for proxy-lock rollback in rt mutex start proxy lock() when called from futex requeue(). In the latter scenario, the function incorrectly operates on the current task instead of the waiter::task during the dequeue operation. This leads to several technical failures: the rbtree dequeue occurs without holding the waiter::task::pi lock, the pi blocked on state of the waiter task is not cleared—creating a dangling pointer—and the rt mutex adjust prio chain() function operates on the incorrect top priority waiter task. A local unprivileged user can exploit this to achieve full root privileges or perform a container escape. Real-world research demonstrated a stable exploit with approximately 97% reliability, granting root access in about five seconds.
Recommendations Update the Linux kernel to version 7.1 or later. As a temporary mitigation, enable the RANDOMIZE KSTACK OFFSET and STATIC USERMODE HELPER build parameters to increase the difficulty of exploitation.

Exploit

Fix

LPE

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-08889
CVE-2026-43499
ECHO-9793-C0AF-3276
OESA-2026-2674
OPENSUSE-SU-2026:10859-1
OPENSUSE-SU-2026:20912-1
SUSE-SU-2026:22043-1
SUSE-SU-2026:22048-1
SUSE-SU-2026:22076-1
SUSE-SU-2026:22087-1
SUSE-SU-2026:22108-1
SUSE-SU-2026:22137-1
SUSE-SU-2026:22433-1
SUSE-SU-2026:22458-1
SUSE-SU-2026:2310-1
SUSE-SU-2026:2317-1
SUSE-SU-2026:2331-1
SUSE-SU-2026:2332-1
SUSE-SU-2026:2383-1
SUSE-SU-2026:2421-1
SUSE-SU-2026:2450-1
SUSE-SU-2026:2482-1
SUSE-SU-2026:2591-1
USN-8488-1
USN-8488-2
USN-8489-1
USN-8507-1

Affected Products

Linux Kernel