Nebula Security has released working exploit code for GhostLock, a Linux kernel vulnerability that researchers say can turn an ordinary local account into root on unpatched systems. SecurityWeek and The Hacker News identified the bug as CVE-2026-43499 and reported that it had been present in the kernel for 15 years.
That combination is ugly for administrators: the flaw is local, but it reportedly does not require special privileges or network access once a person has a login. On multiuser servers, developer workstations, shared lab machines, and container hosts, that is enough to turn a routine account compromise into a full system compromise.
According to SecurityWeek and The Hacker News, GhostLock is a use-after-free vulnerability. That bug class appears when code releases a chunk of memory and later continues to treat it as valid. Attackers try to reclaim or shape that freed memory so the stale reference points somewhere useful. In kernel code, a successful use-after-free can cross the line from crashing a machine to running code with the operating system’s highest privileges.
Nebula’s exploit reportedly does more than pop root on a friendly test box. SecurityWeek and The Hacker News said the exploit can break out of containers, which matters because many teams still treat containers as a meaningful containment boundary for untrusted workloads. Containers share the host kernel, so a kernel privilege-escalation bug is the kind of flaw that makes that bargain look less comforting.
The exploit was 97 percent reliable in Nebula’s testing, according to those reports. The research also earned Nebula a $92,337 reward through Google’s kernelCTF program, which pays researchers for demonstrating practical Linux kernel exploits under controlled conditions.
Patching is less tidy than disclosure
The vulnerability was fixed in April, SecurityWeek reported, but distribution-level patching is where Linux security often becomes less elegant than the mailing-list version of events. WIRED reported that Ubuntu’s status pages in early July still listed Ubuntu 24.04 LTS, 22.04 LTS, and 20.04 LTS as vulnerable or still being worked on.
That means defenders should verify the actual fixed package installed on their systems rather than assume that an available kernel update has landed everywhere it needs to. Kernel fixes can sit behind distribution backports, staged releases, reboot windows, and the grim little pile of machines that nobody has touched since the last emergency.
SecurityWeek and The Hacker News reported that the vulnerable code shipped by default in effectively every major Linux distribution since 2011. The available reports do not list every affected package version, so the practical answer is distribution-specific: check vendor advisories, confirm the patched kernel build, and reboot into it.
AI found old code humans stopped reading
Nebula said it found GhostLock using VEGA, its AI-assisted bug-hunting system. WIRED described the discovery as part of a 2026 wave of Linux privilege-escalation findings produced by automated tools reviewing older kernel code.
That is a useful datapoint, with the usual caveat: tool-assisted discovery is not magic, and exploitability still has to be proved. In this case, Nebula published exploit code, reports say the bug earned a Google kernelCTF payout, and the fix already exists upstream. The remaining problem is the familiar one: getting patched kernels onto real machines before someone else runs the proof of concept.
This story draws on original reporting from WIRED.