AI discovers Linux bug that went unnoticed for 15 years
There is currently no practical mitigation for GhostLock other than installing a patched kernel.

- Researchers found GhostLock, a Linux kernel flaw that allowed local attackers to gain root control for 15 years.
- Nebula Security says the bug affected major Linux distributions released since 2011 and has no practical mitigation.
- The only complete fix is installing the patched Linux 7.1 kernel, making urgent updates important for affected systems.
- Nebula’s AI agent VEGA discovered the flaw, showing how AI tools are reshaping security research and vulnerability hunting.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Researchers have uncovered a Linux kernel vulnerability, dubbed GhostLock, that remained hidden for 15 years. It allows attackers with local access to gain root privileges on virtually every major Linux distribution released since 2011.
GhostLock, tracked as CVE-2026-43499, was introduced in Linux 2.6.39 and fixed in Linux 7.1, which means it has existed for more than 15 years, according to Nebula Security.
By exploiting the flaw, a threat actor can gain full root privileges, effectively taking control over the compromised system.
The vulnerability was introduced by a helper function responsible for cleaning up tasks after they finish as part of the Linux kernel's scheduling system.
Although normally the function clears the current task, due to the security issue, when a deadlock is encountered and a rollback is triggered, it frees memory by mistake while another task still holds a pointer to it.
This means that attackers could manipulate the freed memory before it’s reused. Nebula Security said it was able to successfully exploit the flaw to achieve local privilege escalation to root.
Researchers’ exploit succeeded 97% of the time during testing, with Google awarding them a $92,337 bug bounty through its kernelCTF program.
There is currently no practical mitigation for GhostLock. The only complete fix is to install the patched kernel.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The vulnerability was discovered by VEGA, an AI bug-hunting and security agent developed by Nebula Security. Nebula claims that VEGA can discover vulnerabilities “faster than humans ever could”.
AI is becoming increasingly useful when it comes to bug hunting. In June, Anthropic's Mythos model identified vulnerabilities in highly sensitive US government systems during a testing exercise. Senator Mark Warner of Virginia said he had been informed by National Security Agency chief Joshua Rudd that Mythos "broke into almost all of our classified systems, not in weeks, but in hours."