Hi all,
as I did not see it mentioned on this list yet, there seems to be yet
another serioys LPE or at least DoS for the Linux kernel, dubbed
GhostLock and assigned CVE-2026-43499:
https://nebusec.ai/research/ionstack-part-2/
As I'd have hoped to get an alert via this list, I figured a notice is
in order. Or do we give up to keep track of the stream of serious Linux
kernel flaws? :-/
I at least achieved system crash / hang using the poc.c linked from the
above website on a current Ubuntu system with 7.0.0-14 LTS kernel,
while Debian 13 with 6.12.95+deb13-amd64 or vanilla 6.6.144 is not
vulnerable, as probably are many other kernels not too far from
kernel.org LTS or mainline. The relevant fix is
3bfdc63936dd (“rtmutex: Use waiter::task instead of current in
remove_waiter()”)
which was committed on 2026-04-21. There is no module to block for this
one, or some other configuration as mitigation. The kernel needs to be
updated.
If you're not stuck on a commercial distro that hasn't updated its
kernel in the past months, you're probably safe …
Alrighty then,
Thomas
--
Dr. Thomas Orgis
HPC @ Universität Hamburg