GhostLock (CVE-2026-43499) is a Linux kernel vulnerability present in all major distributions since 2011, allowing an unprivileged local attacker to obtain a dangling pointer to kernel stack memory and execute a 97% stable privilege escalation and container escape. The flaw arises from a misuse of the remove_waiter() function in the rtmutex subsystem, causing a stack-use-after-free (UAF) condition that enables controlled writes to kernel memory, leading to function pointer hijacking and root access. The bug was patched in Linux 7.1 after fifteen years, and affected systems are urged to upgrade, with detailed technical analysis and an exploit demonstrating the multi-stage attack involving kernel stack reuse, ASLR leaks, and control flow hijacking.
IonStack Part II: GhostLock, a stack-UAF That Has Existed in ALL Linux Distributions for 15 Years

