AI hunting tool finds 15-year-old Linux root bug that lets any user take full control

An artificial intelligence-driven bug hunting platform has uncovered a 15-year-old vulnerability in the Linux kernel that lets any unprivileged user escalate to root access in seconds, marking another milestone in the accelerating use of AI for vulnerability discovery.

The flaw, tracked as CVE-2026-43499 and named GhostLock, is a use-after-free vulnerability in the kernel’s priority-inheritance futex code that has been present since 2011. It carries a CVSS score of 7.8 (High). Researchers at Nebula Security discovered it using the company’s VEGA AI platform, which systematically analyzed old kernel code that had rarely been revisited by human reviewers.

“Nobody noticed. Then an AI bug-hunting tool went looking, and now any logged-in user on an unpatched machine can turn themselves into root in about five seconds,” Sameed Khan reported for Secure.com News.

The Nebula team built a working exploit with 97 percent reliability and demonstrated that the vulnerability can also be used to escape container isolation, a critical finding for cloud platforms, multi-tenant environments, and CI/CD runners that rely on container boundaries for security. Google paid the researchers $92,337 through its kernelCTF bug-bounty program for the discovery.

Working exploit code has been made public, but no active wild abuse has been reported.

GhostLock’s severity is amplified by a demonstrated attack chain called IonStack, which combines the kernel bug with a separate Firefox vulnerability (CVE-2026-10702). In that scenario, a victim need only open a malicious link: the browser exploit provides initial code execution inside Firefox’s sandbox, then GhostLock escalates the session to full root control. The researchers demonstrated the chain working against Android Firefox.

The discovery comes days after another AI-discovered Linux privilege-escalation bug, Bad Epoll (CVE-2026-46242), was disclosed in related old kernel code. Security researchers expect this pattern to continue as AI-powered analysis tools systematically comb through decades of legacy kernel code.

Mitigation and patching

GhostLock affects all Linux kernels from 2011 onward. Patches are available through mainstream distribution channels, though administrators should verify their distribution’s specific fix. Early patches introduced a separate kernel crash in some builds.

Systems that should be prioritized for patching include:

  • Multi-tenant cloud servers and container hosts, where the container-escape vector poses the greatest risk
  • Shared development and CI/CD infrastructure
  • Any system where unprivileged local users have accounts

Kernel hardening features such as RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER can make exploitation more difficult but do not remove the underlying vulnerability.

The GhostLock disclosure underscores a broader shift in cybersecurity: AI tools are making it feasible to audit vast swaths of legacy infrastructure code that human reviewers have long deprioritized. What took 15 years for a human team to miss can now be found by an AI in hours.

Sources: GhostLock Flaw Gives Any Linux User Root Access (Secure.com News, July 8, 2026); AI Found a Root Bug in Linux That Everyone Missed for 15 Years (Wired, July 11, 2026)

Scroll to Top