15-Year-Old Linux Kernel Vulnerability Allows Full System Takeover

15-Year-Old Linux Kernel Vulnerability Allows Full System Takeover

Researchers at Nebula Security discovered a privilege escalation bug in the Linux kernel that's been lying dormant for over 15 years that affects every Linux distribution before version 7.1.

Dubbed "GhostLock," the vulnerability was originally introduced in Linux 2.6.39 in a rework of rtmutex from 2011, over 15 years ago. The bug allows an attacker to gain full root permissions and even break out of containers starting from an unprivileged user. It was fixed in April 2026 in Linux version 7.1.

Nebula says all Linux distributions before the patch are affected, so make sure to update your system to the latest stable version available from your distribution.

The researchers were able to reliably exploit the vulnerability 97% of the time and were awarded $92,337 by Google through kernelCTF.

The bug lies in the remove_waiter() function. It was written to address the situation where a thread blocks on its own and then cleans up after itself. However, the rt_mutex_start_proxy_lock() function used it to clean up a different, sleeping thread.

Under the right conditions, remove_waiter() will remove the pointer for the currently executing task instead of the waiting task, leaving a dangling pointer to kernel memory that can be exploited to escalate privileges.

Effectively, the function was used for a purpose it wasn't originally written for and the assumptions it was originally written with caused the bug.

The researchers were also able to bypass address space layout randomization (ASLR), a security feature meant to protect against memory corruption vulnerabilities, by timing the prefetch on a given address.

prefetch on a given address runs in a different number of cycles depending on whether that address is mapped in the current page tables, so an unprivileged process can time prefetch across the kernel range and read off which addresses are mapped (the prefetch paper has the details).
It works here as Linux barely randomizes the base of its default kernel image (~9 bits of entropy for text base), so a little averaging can recover the KASLR base with near 100% reliability.

Likely there are plenty of other similar bugs hiding in the massive Linux codebase.

Google estimates that around 76% of vulnerabilities in Android were memory safety vulnerabilities before they began their push for memory-safe languages like Rust, with the number dwindling down to 24% (and that was back in 2024).

The Linux kernel could benefit from higher adoption of Rust in the kernel. Making use of hardware features such as MTE for ARM chips and the upcoming ChkTag for x86 chips will be huge in protecting from memory safety vulnerabilities in the future as well.

Community Discussion