CVE-2026-43499
HIGHrtmutex: Use waiter::task instead of current in remove_waiter()
Title source: cnaExploitation Summary
EIP tracks 10 public exploits for CVE-2026-43499. PoCs published by Unclecheng-li, x-spy, MobiusM.
AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-43499 (GhostLock), a 15-year-old stack use-after-free (UAF) vulnerability in the Linux kernel's rtmutex remove_waiter() function. The PoC demonstrates the vulnerability by triggering a dangling pi_blocked_on pointer via FUTEX_CMP_REQUEUE_PI, leading to a controllable kernel stack UAF that can be used for local privilege escalation (LPE) or container escape.
Description
In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue(). In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems: 1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task's pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around. 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems. [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]
Exploits (10)
This repository contains a functional proof-of-concept exploit for CVE-2026-43499 (GhostLock), a 15-year-old stack use-after-free (UAF) vulnerability in the Linux kernel's rtmutex remove_waiter() function. The PoC demonstrates the vulnerability by triggering a dangling pi_blocked_on pointer via FUTEX_CMP_REQUEUE_PI, leading to a controllable kernel stack UAF that can be used for local privilege escalation (LPE) or container escape.
This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-43499, targeting a Linux kernel vulnerability in the `pselect` syscall mechanism. The exploit leverages a race condition in kernel memory manipulation to achieve arbitrary write primitives and escalate privileges to root via a custom su daemon.
This repository contains a functional exploit PoC for CVE-2026-43499, a Linux kernel futex PI use-after-free vulnerability. The exploit demonstrates a deadlock cycle and UAF crash via crafted futex operations, targeting the rtmutex subsystem.
This repository provides a backported patch for CVE-2026-43499 (GhostLock), a use-after-free vulnerability in the OpenVZ kernel's RT-mutex subsystem. The patch fixes a dangling pointer issue in `remove_waiter()` where `current` was incorrectly used instead of `waiter->task` during proxy lock operations, leading to potential kernel memory corruption.
The repository claims to provide an exploit for CVE-2026-43499, a Linux kernel rtmutex vulnerability, but contains no actual exploit code or technical details. Instead, it links to an external download (tinyurl) without any substantive analysis or PoC.
This repository contains a Linux kernel exploit targeting CVE-2026-43499, leveraging pipe buffer manipulation and slab cache shaping to achieve privilege escalation. The exploit uses KernelSnitch for memory leaks and physrw primitives for arbitrary read/write.
This repository contains a Linux kernel exploit targeting CVE-2026-43499, leveraging pipe buffer manipulation and slab cache shaping for local privilege escalation (LPE). The exploit uses KernelSnitch for memory leaks and includes detailed memory corruption techniques to achieve arbitrary physical read/write primitives.
This repository provides a functional proof-of-concept exploit for CVE-2026-43499, a Linux kernel futex PI use-after-free vulnerability affecting ARM v7 architectures. The exploit triggers a kernel panic via a crafted futex requeue operation, demonstrating the UAF condition in the futex priority inheritance mechanism.
The repository contains only a README file with the CVE identifier and no technical details, exploit code, or vulnerability analysis. It serves as a placeholder with minimal content.
This repository claims to be a PoC for CVE-2026-43499 but contains no actual exploit code, technical details, or vulnerability analysis. It only includes a README with generic setup instructions, a screenshot, a license, and a .gitignore file.
References (7)
Scores
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H