CVE-2026-43499

HIGH

rtmutex: Use waiter::task instead of current in remove_waiter()

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2026-43499. PoCs published by Unclecheng-li, x-spy, MobiusM.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-43499 (GhostLock), a 15-year-old stack use-after-free (UAF) vulnerability in the Linux kernel's rtmutex remove_waiter() function. The PoC demonstrates the vulnerability by triggering a dangling pi_blocked_on pointer via FUTEX_CMP_REQUEUE_PI, leading to a controllable kernel stack UAF that can be used for local privilege escalation (LPE) or container escape.

Description

In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue(). In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems: 1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task's pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around. 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems. [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]

Exploits (10)

github WORKING POC 731 stars
by Unclecheng-li · cpoc
https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-43499 GhostLock

This repository contains a functional proof-of-concept exploit for CVE-2026-43499 (GhostLock), a 15-year-old stack use-after-free (UAF) vulnerability in the Linux kernel's rtmutex remove_waiter() function. The PoC demonstrates the vulnerability by triggering a dangling pi_blocked_on pointer via FUTEX_CMP_REQUEUE_PI, leading to a controllable kernel stack UAF that can be used for local privilege escalation (LPE) or container escape.

Classification
Working Poc 99%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (versions 2.6.39 to 6.18.27, with CONFIG_FUTEX_PI=y)
No auth needed
Prerequisites: Linux kernel with CONFIG_FUTEX_PI enabled · No special capabilities required (zero capability) · Single-core system sufficient for exploitation
mistral-large-3 · analyzed Jul 11, 2026 Full analysis →
github WORKING POC 6 stars
by x-spy · cpoc
https://github.com/x-spy/CVE-2026-43499-popsicle

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-43499, targeting a Linux kernel vulnerability in the `pselect` syscall mechanism. The exploit leverages a race condition in kernel memory manipulation to achieve arbitrary write primitives and escalate privileges to root via a custom su daemon.

Classification
Working Poc 98%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (arm64, 4K pages, specific offsets likely version-dependent)
Auth required
Prerequisites: Local shell access (UID 2000 or root) · Target kernel with vulnerable `pselect` implementation and specific memory layout · Ability to execute compiled binaries on the target
mistral-large-3 · analyzed Jul 12, 2026 Full analysis →
github WORKING POC 1 stars
by MobiusM · cpoc
https://github.com/MobiusM/CVE-2026-43499

This repository contains a functional exploit PoC for CVE-2026-43499, a Linux kernel futex PI use-after-free vulnerability. The exploit demonstrates a deadlock cycle and UAF crash via crafted futex operations, targeting the rtmutex subsystem.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (specific versions not specified, but observed on Linux 6.1)
No auth needed
Prerequisites: Multi-threaded environment · PI-capable futexes · Specific kernel version with the vulnerability
mistral-large-3 · analyzed Jun 27, 2026 Full analysis →
github WRITEUP
by dmcdtc · cpoc
https://github.com/dmcdtc/openvz-cve-patch-2026

This repository provides a backported patch for CVE-2026-43499 (GhostLock), a use-after-free vulnerability in the OpenVZ kernel's RT-mutex subsystem. The patch fixes a dangling pointer issue in `remove_waiter()` where `current` was incorrectly used instead of `waiter->task` during proxy lock operations, leading to potential kernel memory corruption.

Classification
Writeup 98%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: OpenVZ 7 kernel vzkernel-3.10.0-1160.129.1.ovz7.226.2
No auth needed
Prerequisites: Local access to a vulnerable OpenVZ 7 system · Ability to compile and install a custom kernel
mistral-large-3 · analyzed Jul 12, 2026 Full analysis →
github SUSPICIOUS
by caspy123 · poc
https://github.com/caspy123/CVE-2026-43499

The repository claims to provide an exploit for CVE-2026-43499, a Linux kernel rtmutex vulnerability, but contains no actual exploit code or technical details. Instead, it links to an external download (tinyurl) without any substantive analysis or PoC.

Classification
Suspicious 98%
Attack Type
Other
Complexity
Unknown
Reliability
Unknown
Target: Linux kernel (rtmutex component)
No auth needed
mistral-large-3 · analyzed Jul 11, 2026 Full analysis →
github WORKING POC
by inforcqb · cpoc
https://github.com/inforcqb/CVE-2026-43499-pja110

This repository contains a Linux kernel exploit targeting CVE-2026-43499, leveraging pipe buffer manipulation and slab cache shaping to achieve privilege escalation. The exploit uses KernelSnitch for memory leaks and physrw primitives for arbitrary read/write.

Classification
Working Poc 98%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (target-specific: caiman-CP2A.260605.012)
No auth needed
Prerequisites: Local access to the target system · Linux kernel version matching the target (caiman-CP2A.260605.012) · Ability to create pipes and memfd objects
mistral-large-3 · analyzed Jul 10, 2026 Full analysis →
github WORKING POC
by pubglite55 · cpoc
https://github.com/pubglite55/oppo-ghostlock

This repository contains a Linux kernel exploit targeting CVE-2026-43499, leveraging pipe buffer manipulation and slab cache shaping for local privilege escalation (LPE). The exploit uses KernelSnitch for memory leaks and includes detailed memory corruption techniques to achieve arbitrary physical read/write primitives.

Classification
Working Poc 98%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (Oppo Find N2, caiman-CP2A.260605.012 build)
Auth required
Prerequisites: Local shell access on vulnerable Oppo device · Kernel version matching exploit offsets · Ability to execute native code
mistral-large-3 · analyzed Jul 10, 2026 Full analysis →
nomisec WORKING POC
by tc3650 · poc
https://github.com/tc3650/CVE-2026-43499-armv7

This repository provides a functional proof-of-concept exploit for CVE-2026-43499, a Linux kernel futex PI use-after-free vulnerability affecting ARM v7 architectures. The exploit triggers a kernel panic via a crafted futex requeue operation, demonstrating the UAF condition in the futex priority inheritance mechanism.

Classification
Working Poc 98%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel versions 2.6.39 to 6.18.x (ARM v7)
No auth needed
Prerequisites: ARM v7 device with vulnerable Linux kernel (2.6.39 ≤ version ≤ 6.18.x) · ADB access to push and execute the exploit · CONFIG_FUTEX_PI enabled in kernel configuration
mistral-large-3 · analyzed Jul 09, 2026 Full analysis →
github STUB
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-43499

The repository contains only a README file with the CVE identifier and no technical details, exploit code, or vulnerability analysis. It serves as a placeholder with minimal content.

Classification
Stub 95%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: unspecified
No auth needed
mistral-large-3 · analyzed Jul 09, 2026 Full analysis →
github STUB
by HORKimhab · poc
https://github.com/HORKimhab/CVE-2026-43499

This repository claims to be a PoC for CVE-2026-43499 but contains no actual exploit code, technical details, or vulnerability analysis. It only includes a README with generic setup instructions, a screenshot, a license, and a .gitignore file.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unspecified
No auth needed
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →

Scores

CVSS v3 7.8
EPSS 0.0013
EPSS Percentile 2.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (21)
linux/Kernel 2.6.39 - 6.1.175linux
linux/Kernel 6.13.0 - 6.18.27linux
linux/Kernel 6.19.0 - 7.0.4linux
linux/Kernel 6.2.0 - 6.6.140linux
linux/Kernel 6.7.0 - 6.12.86linux
Linux/Linux < 2.6.39
Linux/Linux 2.6.39
Linux/Linux 6.1.175 - 6.1.*
Linux/Linux 6.12.86 - 6.12.*
Linux/Linux 6.18.27 - 6.18.*
... and 11 more
Published May 21, 2026
Tracked Since May 21, 2026