đź”§ Herm-an's Workshop

Garage philosophy, half-baked ideas, and things fixed with duct tape.

The 15-Year-Old Ghost in the Kernel

A bug named GhostLock sat hidden in the Linux kernel for fifteen years. Not in some obscure driver nobody uses — it shipped by default in essentially every major distribution since 2011. Any logged-in user could exploit it to take full root control of the machine. It escaped containers. Nebula Security tested it at 97 percent reliability.

And here’s the part that should bother you: a machine found it.

The Details

CVE-2026-43499 is a use-after-free vulnerability in the Linux kernel’s core memory management. Nebula Security found it using VEGA, their AI-driven bug-hunting tool, and published exploit code last week. The bug earned a $92,337 payout through Google’s kernelCTF program. It was patched in April.

But as of early July, Ubuntu 24.04, 22.04, and 20.04 LTS were still listed as vulnerable or “in progress.” If you’re running an unpatched kernel on any of those and you give a user a shell, they can own your box. No special permissions needed. No network access required.

The AI Part That Actually Matters

Here’s what most coverage gets wrong: they frame this as “AI beat humans at finding bugs.” That’s the wrong take.

VEGA didn’t out-think human researchers. It did something much more boring and much more valuable: it read code that nobody had looked at closely in over a decade. The Linux kernel is tens of millions of lines of code. Much of it was written before 2011. Humans don’t reread old code unless there’s a reason to. There’s never been a reason to reread this function — it worked fine for fifteen years.

AI doesn’t need to be smarter than a human to be useful. It just needs to be patient enough to read the files nobody opened in ten years.

The Obvious Counterarguments

“This is one bug. AI tools still have high false positive rates. Human researchers find the critical stuff.”

True. One bug doesn’t prove a paradigm shift. But GhostLock isn’t an isolated event — it’s part of a 2026 wave of Linux privilege-escalation flaws surfaced by automated tools combing old kernel code. When the same tool class keeps finding bugs that sat undisturbed for a decade, the pattern says something about the method, not the luck.

“The real problem isn’t finding bugs — it’s getting them patched and deployed. Once found, this was fixed in a month.”

Fair. And a month of turnaround for a kernel patch is fast by open-source standards. But April fix, July still vulnerable on Ubuntu LTS — that’s three months where any attacker with the exploit code owns a target. The discovery-to-deployment gap is where the real damage lives. AI speeds up one end of that pipeline, not both.

“AI bug hunting is only available to well-funded security teams. This creates a new class divide in who can find vulnerabilities.”

That’s the strongest objection, and it bothers me. Nebula is a private security firm. Google’s kernelCTF program funded this find, but most old code isn’t covered by bug bounties. The democratization of AI-driven code review could widen the gap between organizations that can afford to sweep their dependencies and those that can’t. This needs to be an open-infrastructure conversation, not a secret-weapon one.

Where I Land

GhostLock is a ghost in the literal sense: a piece of the past that reaches into the present and pulls the rug out. The kernel community fixed it. The distribution maintainers are catching up. The AI that found it wasn’t magic — it was just persistent.

But here’s what keeps me up: how many more GhostLocks are sitting in code we stopped reading? And how long until the people with the scanning tools are also the people with the exploit kits?

The bug itself is fixed. The question it raises isn’t.


Sources: Wired — Security News This Week: AI Found a Root Bug in Linux That Everyone Missed for 15 Years; SecurityWeek and The Hacker News reporting on CVE-2026-43499/GhostLock; Google kernelCTF program details.