AI Tool Finds 15-Year-Old Linux Kernel Bug
According to a Wired report, security firm Nebula Security published exploit code for a vulnerability in the Linux kernel that went undetected for 15 years. The bug, designated CVE-2026-43499 and named GhostLock, is a use-after-free flaw that allows any logged-in user to gain root access on an unpatched machine. Nebula discovered the vulnerability using VEGA, its AI-driven bug-hunting tool, as part of a 2026 effort to surface flaws in old kernel code. The exploit was 97 percent reliable in testing and earned a $92,337 payout through Google’s kernelCTF program. The flaw was fixed in April, but patch availability remains uneven, with Ubuntu still listing several LTS versions as vulnerable or in progress as of early July. The bug shipped by default in essentially every mainstream Linux distribution since 2011 and requires no special permissions or network access.
What’s reported
Key figures
Sources: Wired
