GhostLock: How AI Found a 15-Year-Old Linux Kernel Bug Hiding in Plain Sight
An AI security researcher called VEGA discovered GhostLock, a stack use-after-free vulnerability that has existed in every Linux distribution since 2011. Google paid a $92,337 bounty for the find.
Imagine a flaw so deeply embedded in an operating system that it survived kernel updates, distribution upgrades, and countless security audits for over fifteen years. Now imagine that it took an AI to finally find it. That's exactly what happened with GhostLock, a Linux kernel vulnerability designated CVE-2026-43499, discovered by an AI security research pipeline called VEGA from Nebula Security.
What Is GhostLock?
GhostLock is a stack use-after-free (UAF) vulnerability in the Linux kernel's rtmutex subsystem, specifically in the futex requeue PI path. It was introduced in Linux 2.6.39 with a commit that reworked the priority inheritance mutex algorithm, and it sat untouched in every major Linux distribution from 2011 until it was fixed in Linux 7.1 in April 2026.
The vulnerability allows an unprivileged local attacker to:
- Obtain a dangling kernel pointer to kernel stack memory using only standard threading syscalls
- Write a pointer to an almost arbitrary memory address
- Hijack a function table to gain control flow hijack and ultimately root access
No special kernel configuration was required beyond CONFIG_FUTEX_PI=y, which is enabled by default in virtually all distributions. No capabilities or user namespaces were needed. Any unprivileged user could trigger it.
The Root Cause: A Function Used Outside Its Design
At its core, GhostLock is a lifecycle bug. The helper function remove_waiter() in kernel/locking/rtmutex.c was originally written for a single scenario: a thread blocks on a lock and then cleans up after itself. It always assumed that the currently running thread (current) is the waiter it needs to clean up, so it clears current->pi_blocked_on accordingly.
However, the requeue-PI path broke that assumption. Through rt_mutex_start_proxy_lock(), a waiter can be enqueued on behalf of another task. When a deadlock is detected during the proxy lock process, the rollback dequeues the waiter but clears pi_blocked_on on the requeuer rather than the actual waiter. The waiter task retains a dangling pi_blocked_on pointer to its own stack frame, which is popped the moment the waiter returns to userspace. Any subsequent priority inheritance chain walk through that task follows the dangling pointer into stale stack memory.
This is a class of bug that is notoriously difficult to find through traditional fuzzing or manual code review. The conditions that trigger it involve a specific interleaving of futex operations across multiple threads, and the symptoms manifest far from the root cause.
Enter VEGA: AI-Powered Vulnerability Research
VEGA is an AI security research pipeline developed by Nebula Security. Unlike traditional static analysis tools that rely on pattern matching or predefined rules, VEGA uses agentic AI to explore code, reason across call paths, and test hypotheses against the actual project. It thinks like a security researcher, but at a scale and speed that humans simply cannot match.
The numbers behind VEGA are striking:
- 885 validated findings across multiple projects
- 853 Linux kernel bugs identified
- 8 Chrome zero-days discovered
- 90 public CVEs assigned
VEGA has been deployed against major codebases including Linux, Chrome, nginx, Microsoft, WordPress, CPython, and QuickJS-NG. It integrates with existing developer workflows through a GitHub App, a CLI tool, and even an MCP server that lets coding agents like Codex, Claude Code, and Cursor pull findings directly into their sessions.
From Discovery to Exploit: 97% Stable
What makes GhostLock particularly alarming is its reliability. Nebula Security turned the vulnerability into a 97% stable privilege escalation and container escape. In practice, this means that any unprivileged user on an affected Linux system could potentially gain root access and break out of container isolation, which is the foundation of security for cloud infrastructure, CI/CD pipelines, and multi-tenant hosting environments.
Google recognized the severity of the finding and awarded Nebula Security $92,337 through the kernelCTF program, which incentivizes security researchers to find and report kernel vulnerabilities responsibly.
The Broader Implications
GhostLock raises several important points for the security community:
- Long-lived bugs are real. Fifteen years is not an outlier. Complex kernel subsystems can harbor subtle logic bugs for over a decade, and traditional review processes may never catch them.
- AI is changing vulnerability research. Tools like VEGA can reason across call paths and threading scenarios that would take human researchers weeks or months to trace manually.
- Container isolation is not a security boundary. When a kernel vulnerability enables container escape, the isolation guarantees that cloud providers rely on become conditional on kernel patching.
- Patching velocity matters. The fix landed in Linux 7.1, but every distribution running an older kernel without the backported patch remains vulnerable. Organizations need to track and apply kernel updates promptly.
What You Should Do
If you manage Linux systems, the guidance is straightforward:
- Upgrade to Linux 7.1 or later, or apply the backported patch to your current LTS kernel
- Audit your container workloads and assume that a kernel UAF could enable tenant escape
- Consider AI-powered security scanning for your own codebases, especially for critical infrastructure components
The Future of AI in Security Research
GhostLock is a milestone finding, but it is unlikely to be the last. VEGA and similar AI security tools are proving that agentic AI can find bugs that are not just theoretically possible but practically exploitable. As these tools mature, the gap between discovery and patching will shrink, but only if organizations adopt them and act on their findings.
The fact that an AI found a bug that thousands of human kernel developers and security researchers had walked past for fifteen years is not a criticism of those researchers. It is a testament to how AI can complement human expertise by exploring edge cases and cross-subsystem interactions at a scale that was previously impossible.
As the security landscape evolves, the question is no longer whether AI will be part of vulnerability research, but how quickly organizations can integrate it into their workflows before attackers do the same.