ArticlesSecurity Advisories

Mitigating GhostLock (CVE-2026-43499, CVE-2026-53163) on Rocky Linux 8, 9, 10, and LTS Variants

cvesecuritykernelrocky linuxltsmitigationtroubleshooting

Arsalan Zaidi
Customer Support Engineer

Jul 08, 2026

Introduction

GhostLock is a pair of related vulnerabilities in the Linux kernel real-time mutex (rtmutex) subsystem:

  • CVE-2026-43499 is a use-after-free in the remove_waiter() function in kernel/locking/rtmutex.c. When a FUTEX_CMP_REQUEUE_PI operation returns -EDEADLK, the rollback path clears pi_blocked_on on the wrong task (the current thread instead of the actual waiter), leaving the waiter with a dangling pointer to a freed stack frame.
  • CVE-2026-53163 is a bug introduced by the fix for CVE-2026-43499 in the same remove_waiter() function. The two fixes must be applied together.

An unprivileged local user can trigger the CVE-2026-43499 race to crash the kernel (denial of service) or, with a more sophisticated exploit chain, achieve local privilege escalation. Public exploit code is available, including a denial-of-service proof-of-concept and a full privilege escalation chain targeting mobile platforms.

CVE-2026-43499 was introduced in Linux 2.6.39 (commit 8161239a8bcc) and fixed upstream in v7.1-rc1 (commit 3bfdc63936dd). CVE-2026-53163 is fixed by commit 40a25d59e85b. Both fixes must land together. No special privileges or kernel configuration beyond the default CONFIG_FUTEX_PI=y are required to trigger the bug.

Problem

GhostLock affects any Linux system running a kernel between versions 2.6.39 and 7.1-rc1 with futex PI support enabled (the default configuration). Exploitation requires only local code execution.

Treat the following systems as affected unless they are running a patched kernel listed in the Patched Kernels section:

  • Rocky Linux 8, 9, and 10 community releases
  • Rocky Linux 8 and 9 LTS variants
  • RLC Pro FIPS variants
  • RLC Pro variants based on Rocky Linux 8, 9, or 10, including RLC Pro Hardened

Any system with local shell users, shared application accounts, CI runners, or workloads capable of running untrusted code should be treated as exposed until patched. The vulnerability cannot be exploited remotely on its own, but remote code execution on the system would enable the local exploit.

Status

  • Patched kernels are available. See the Patched Kernels table below for specific versions.
  • No effective runtime mitigation exists. See the Mitigation section for partial hardening measures.
  • CIQ Bridge and CentOS 7.9 systems are also affected. A patched CIQ Bridge kernel is available.
  • Open a support case if you need help assessing exposure or tracking patched kernel availability for a specific CIQ variant.

Patched Kernels

Variant Patched Kernel Version Repo Released
CIQ Bridge 7.9 kernel-3.10.0-1160.119.1.el7_9.ciqcbr.18.1 ciq-bridge 2026-07-14
RLC Pro LTS 8.6 kernel-4.18.0-372.32.1+32.1.el8_6_ciq rlc-8.6-lts.x86_64 2026-07-14
RLC Pro 9 kernel-5.14.0-687.24.1+2.1.el9_8_ciq rlc-pro-9.x86_64 2026-07-15
RLC Pro LTS 9.2 kernel-5.14.0-284.30.1+35.1.el9_2_ciq rlc-9.2-lts.x86_64 2026-07-15
RLC Pro LTS 9.6 kernel-5.14.0-570.60.1+18.1.el9_6_ciq rlc-9.6-lts.x86_64 2026-07-14
RLC Pro FIPS 9.2 kernel-5.14.0-284.30.1+35.1.el9_2_ciq fips-9.2-compliant-x86_64 2026-07-15
RLC Pro FIPS 9.6 kernel-5.14.0-570.60.1+18.1.el9_6_ciq fips-9.6-compliant-x86_64 2026-07-14
CIQ SIG/Cloud Next 9 kernel-5.14.0-687.24.1+2.1.el9_8_ciq ciq-sigcloud-next-9.x86_64 2026-07-15
CIQ SIG/Cloud Next 10 kernel-6.12.0-211.32.1+2.1.el10_2_ciq ciq-scn-10.x86_64 2026-07-16
CIQ Linux Kernel LT 6.12 kernel-clk6.12-6.12.95-1.1.el9_clk clk-6.12-el9.x86_64 2026-07-09
CIQ Linux Kernel 6.18 kernel-clk6.18-6.18.38-2.1.el9_clk clk-6.18-el9.x86_64 2026-07-15

CIQ updates this table as tested kernels become available for each variant.

Confirm what is running on a given system with:

uname -r

Installing the Update

CIQ Bridge (CentOS 7)

sudo yum update kernel*

Reboot into the new kernel after the update completes.

RLC Pro LTS, FIPS, RLC Pro, and SIG/Cloud Next

sudo dnf update kernel*

Reboot into the new kernel after the update completes. No additional repository configuration is needed; the update is available from the configured CIQ repository. If the update does not appear, run sudo dnf clean all && sudo dnf makecache to refresh repository metadata.

CIQ Linux Kernel (CLK) Variants

sudo dnf update kernel-clk*

Reboot into the new kernel.

Mitigation

There is no runtime mitigation that fully prevents the GhostLock vulnerability. The affected code path (FUTEX_CMP_REQUEUE_PI) is part of the POSIX futex subsystem and cannot be disabled through sysctl, module blocking, or namespace restrictions without breaking standard threading primitives used by glibc and most multithreaded applications.

The following kernel hardening options reduce the exploitability of the underlying use-after-free, but do not prevent the denial-of-service crash:

Partial hardening: randomize_kstack_offset

Rocky Linux 9 kernels ship with CONFIG_RANDOMIZE_KSTACK_OFFSET=y compiled in, but the feature is disabled by default. Enabling it at boot adds approximately 5 bits of randomization to kernel stack frame placement, which breaks the stack-reclaim technique needed for the privilege escalation chain. It does not prevent the DoS PoC from crashing the kernel.

To enable on the next boot, add the kernel parameter:

sudo grubby --update-kernel=ALL --args="randomize_kstack_offset=on"

Reboot for the change to take effect. Verify with:

cat /proc/cmdline | grep randomize_kstack_offset

Rocky Linux 8 kernels (4.18.x) do not include this feature.

Verification

To verify whether a system is running a patched kernel once one is available:

uname -r

Compare the output against the Patched Kernels table above. If the running kernel version matches or is newer than the patched version listed for your variant, the fix is in place.

To check whether randomize_kstack_offset is enabled (partial hardening only):

cat /proc/cmdline | grep -o "randomize_kstack_offset=[a-z]*"

If the output reads randomize_kstack_offset=on, the hardening is active.

Resolution

Once patched kernels are available:

  1. Update the kernel: sudo dnf update kernel*
  2. Reboot into the new kernel
  3. Verify the running kernel with uname -r
  4. If randomize_kstack_offset=on was added as a temporary hardening measure, it can be left in place (no negative impact) or removed with sudo grubby --update-kernel=ALL --remove-args="randomize_kstack_offset=on"

Notes

  • The GhostLock DoS proof-of-concept requires no privileges and no special kernel modules. It uses only standard futex system calls available to any unprivileged user. Blocking the exploit through seccomp or AppArmor would require filtering SYS_futex with FUTEX_CMP_REQUEUE_PI, which would break most threaded applications.
  • The full privilege escalation exploit published by the researchers targets Android (aarch64) and relies on platform-specific techniques (PR_SET_MM_MAP, inet6_protos overwrite, CPU Entry Area gadgets). The researchers note that adaptation to x86_64 Linux is feasible but requires different targets and offsets.
  • Systems running CONFIG_STATIC_USERMODE_HELPER=y are partially protected against the specific "DirtyMode" escalation path that rewrites /proc/sys/kernel/core_pattern, but not against the underlying UAF or alternative escalation techniques.
  • The fixes for CVE-2026-43499 and CVE-2026-53163 must be applied together. Commit 74e144274af3 must not ship without its revert 39def6d250d3, because it is a redundant second fix for a case the CVE-2026-53163 fix already covers. The CIQ 6.18 kernel (kernel-clk6.18) ships this revert starting in release 2.1 (kernel-clk6.18-6.18.38-2.1.el9_clk); release 1.x of that build does not carry the revert and should not be used.

Related Articles

CVE-2026-43499 on NVD

CVE-2026-53163 on NVD

CVE-2026-43499 on MITRE

CVE-2026-53163 on MITRE

NebuSec IonStack Part 2: GhostLock

NebuSec CyberMeowfia PoC Repository

Upstream fix for CVE-2026-43499 (commit 3bfdc63936dd)

Upstream fix for CVE-2026-53163 (commit 40a25d59e85b)