Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20260709040200.GA30802@openwall.com>
Date: Thu, 9 Jul 2026 06:02:00 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: "Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de>
Subject: Re: Linux: GhostLock / CVE-2026-43499 / stack-UAF and LPE in kernels 2.6.39 till 7.1

On Wed, Jul 08, 2026 at 10:41:29PM +0200, Dr. Thomas Orgis wrote:
> as I did not see it mentioned on this list yet, there seems to be yet
> another serioys LPE or at least DoS for the Linux kernel, dubbed
> GhostLock and assigned CVE-2026-43499:
> 
> 	https://nebusec.ai/research/ionstack-part-2/

Right, and since futex is core functionality there's no good mitigation.

Other recent futex bugs CVE-2026-23415, CVE-2026-31554, CVE-2026-52973
have same CVSS 7.8 per kernel CNA as GhostLock CVE-2026-43499.  I don't
know if they're actually just as bad or hopefully not, but they may be.
At least one of them had a little bit of publicity back in April via:

https://mtlynch.io/claude-code-found-linux-vulnerability/

It's number 3 out of 5 bugs listed in one of the sections of that post:

 3. futex: Require sys_futex_requeue() to have identical flags

which became CVE-2026-31554.

Out of these 3 other CVEs, Red Hat currently recognizes Integrity impact
only for CVE-2026-52973.  The other two maybe actually don't have such
impact, or maybe are currently underestimated.  Also, per upstream vulns
repo they're kernel 6.7+ to 6.17+ (varies by CVE), yet are recognized as
affecting RHEL 7+ or 9+ (varies by CVE), suggesting the underlying bugs
may have been backported.

> As I'd have hoped to get an alert via this list, I figured a notice is
> in order.

Yes, thank you!

> Or do we give up to keep track of the stream of serious Linux
> kernel flaws? :-/

That depends on what "serious" means.  In practice, proof or at least
expectation of exploitability matters.  Otherwise it'd be way too many.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.