PT-2026-42456 · Linux · Linux Kernel
Tglx
·
Published
2026-05-21
·
Updated
2026-07-10
·
CVE-2026-43499
CVSS v4.0
8.5
High
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions 2.6.39 through 7.0
Description
A use-after-free (UAF) issue, known as GhostLock, exists in the
rtmutex component of the Linux kernel. The flaw occurs within the remove waiter() function, which is used by slowlock paths and for proxy-lock rollback in rt mutex start proxy lock() when called from futex requeue(). In the latter scenario, the function incorrectly operates on the current task instead of the waiter::task during the dequeue operation. This leads to several technical failures: the rbtree dequeue occurs without holding the waiter::task::pi lock, the pi blocked on state of the waiter task is not cleared—creating a dangling pointer—and the rt mutex adjust prio chain() function operates on the incorrect top priority waiter task. A local unprivileged user can exploit this to achieve full root privileges or perform a container escape. Real-world research demonstrated a stable exploit with approximately 97% reliability, granting root access in about five seconds.Recommendations
Update the Linux kernel to version 7.1 or later.
As a temporary mitigation, enable the
RANDOMIZE KSTACK OFFSET and STATIC USERMODE HELPER build parameters to increase the difficulty of exploitation.Exploit
Fix
LPE
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linux Kernel