GhostLock: 15-Year Kernel UAF Affects Every Linux Distribution
Security researchers at Nebusec have disclosed GhostLock, a stack use-after-free (UAF) vulnerability present in every Linux distribution for approximately 15 years. Full technical details are in Nebusec's ionstack research.
What Happened
A stack-UAF occurs when kernel code continues to reference memory after it has been freed or gone out of scope. In the Linux kernel, this bug class is critical: successful exploitation typically allows an unprivileged local user to escalate to root, bypass security enforcement layers (SELinux, AppArmor, seccomp), or escape container boundaries entirely.
GhostLock lives in a kernel subsystem that has shipped in Linux for over a decade and a half, meaning the vulnerable code has been present across every major distribution — Debian, Ubuntu, RHEL, Fedora, Alpine, Arch, and all their derivatives — across countless production configurations worldwide.
Why It Matters
Three factors combine to make this especially serious:
Universal scope. No Linux distribution is unaffected. Every server, workstation, container host, and embedded system running Linux carries this code.
Fifteen years of exposure. The vulnerability predates most of the kernel hardening that modern systems depend on and has survived audits, fuzzing campaigns, and CVE reviews for over a decade. That dwell time means any attacker who knew about it privately has had ample opportunity to exploit it quietly — with no defenders the wiser.
Kernel-level privilege. An attacker does not need existing elevated access to trigger a kernel UAF. Local code execution — including code running inside a container on a shared host — is often sufficient. Once the kernel is compromised, an attacker can install rootkits, hide processes and network connections, and survive reboots.
Multi-tenant environments are the highest priority: Kubernetes clusters, shared CI/CD runners, VPS hosts, and any system where untrusted or semi-trusted code executes should be treated as at risk until patched.
What to Do
1. Subscribe to your distribution's security advisory channel now if you haven't already. The patch will arrive through:
- Ubuntu: Ubuntu Security Notices
- RHEL / Rocky / AlmaLinux: Red Hat Errata
- Debian: Debian Security Advisories
2. Apply the kernel patch immediately on release. Do not defer for a scheduled maintenance window on internet-facing or multi-tenant systems. The risk of exploitation outweighs the cost of an unscheduled reboot.
3. Reboot after patching. Kernel updates only take effect after a reboot. Enterprise distributions may offer live-patching (kpatch, Canonical Livepatch) — confirm explicitly that the live patch covers GhostLock before relying on it as a substitute.
4. Audit container host boundaries. Assume container escape is in scope until patches are confirmed applied. Restrict which workloads run on shared kernel hosts and limit who can exec into pods or run arbitrary binaries.
5. Verify baseline mitigations are active. Run dmesg | grep -i kaslr and confirm SMEP/SMAP are enabled in your CPU flags. These do not fix GhostLock but raise the exploitation bar while you wait for the patch.
Track CVE assignment and patch status through Nebusec's research and your distribution's security mailing list.
Synthesized by Claude · sanity-checked before publish.