Original title: Need something less technical? Take a quick look at our bug summary.
Article
The article documents GhostLock (CVE-2026-43499), a Linux kernel bug introduced in 2.6.39 and fixed in 7.1 that affected most distributions for over 15 years and can be triggered by unprivileged local code through futex syscalls when CONFIG_FUTEX_PI is enabled. It explains that a legacy helper, remove_waiter(), wrongly assumes the current task is always the waiter being cleaned up, but on the requeue path it can clear pi_blocked_on for the wrong task during -EDEADLK rollback, leaving a dangling pointer into the waiter’s kernel stack. The authors describe a reproducible three-futex, three-thread cycle that creates a stable stack UAF window, then reclaim the exact stack frame via PR_SET_MM_MAP auxv reuse to forge an rt_mutex_waiter structure. They show that this enables a constrained arbitrary write through rt_mutex rb-tree erase, which is used to redirect inet6_protos[IPPROTO_UDP] toward a fake handler in the CPU entry area and then pivot execution. The kernel control-flow path is then completed with a short ROP that flips core_pattern mode bits (DirtyMode), after which exploitation becomes userland-driven root gain. The writeup notes one-CPU viability, gives prefetch/entry-area details for leak and rebase control, mentions Android-specific follow-up work as future work, and shares a mitigation timeline from report and patching dates through a July 7, 2026 publication and bounty disclosure. In comments, readers both validate and stress-test the exploit idea on real devices while also reacting to its technical framing, suggesting the underlying flaw now spans documentation, reliability, and risk messaging concerns.
Commenters report practical tests on Android devices (versions 9, 13, and 16) with older Firefox builds, including unstable outcomes like boot loops and shutdowns, while noting a Pixel wallpaper demo and sharing a related resource link. Several readers focus on accessibility of the writeup, suggesting less technical summaries and clearer terminology, such as expanding LPE in the title. Reactions include surprise at the bug’s long lifespan and acknowledgment of the bounty result. A language-focused thread questions the phraseology around “use after free,” treating it as jargon and contrasting it with older memory-corruption naming, and one long-form reply criticizes “shape” language as AI-influenced phrasing rather than engineering terminology. Overall, users show technical curiosity, real-world validation, and editorial discomfort with stylistic choices even as they engage with the exploit details.