Update -
Reminder for the kernel-update path: update the LVE kernel module kmod-lve in the same run as the kernel. The patched kernel keeps the same KABI, so a current module stays compatible, but a host coming from a much older kernel can end up with an incompatible kmod-lve; update both together to avoid a module/kernel mismatch.
CL8 (beta):
yum update 'kernel*' --enablerepo=cloudlinux-updates-testing
yum update kmod-lve --enablerepo=cloudlinux-updates-testing
reboot
CL7h uses --enablerepo=cl7h_beta for the kernel;
CL9/CL10 add dnf update kmod-lve --enablerepo=cloudlinux-updates-testing before reboot.
Full instructions in the blog post
Jul 13, 2026 - 11:44 UTC
Update - The patched CloudLinux 7 kernel is in the beta/testing channel, and rollout to stable has started. You may install from the testing channel now. Target version:
CL7: kernel-3.10.0-962.3.2.lve1.5.89.el7 or newer
The CloudLinux 7 KernelCare livepatch is now in the testing feed, with promotion to the main feed to follow.
Jul 11, 2026 - 03:12 UTC
Update - Released in test feed:
rhel7 K20260710_48
oel7 K20260710_49
cl7 K20260710_52
oel8-uek6 K20260710_46
oel7-uek6 K20260710_45
amazon2 K20260710_47
EL8 (not previously listed):
almalinux8 - K20260710_41 (general kernel, test);
rhel8 - K20260710_28 — kernel-eus-8.6 only ⚠️ (general RHEL8/CL8 not covered).
EL10 + Debian 12 in test
rhel10 - K20260710_20,
almalinux10 - K20260710_23,
rockylinux10 - K20260710_22,
oel10 - K20260710_21,
debian12 - K20260710_24
Jul 10, 2026 - 15:46 UTC
Update - New patches available in the main feed:
rhel9 - K20260709_03
almalinux9 - K20260709_05
oel9 - K20260709_08
rockylinux9 - K20260709_10
Jul 10, 2026 - 11:32 UTC
Update - New patches available for the following systems:
pve-8 - K20260710_04
ubuntu-noble - K20260710_02
almalinux9 LTS - K20260710_14
almalinux9 FIPS 9.6 - K20260710_01
kcarectl --patch-info will reference only CVE-2026-43499 (53166 is not cited), so finding CVE-2026-43499 is sufficient to confirm GhostLock is patched.
the follow-up fix CVE-2026-53166 was reverted upstream (regression)
EL6 distros has low priority
Jul 10, 2026 - 09:52 UTC
Update - The first GhostLock KernelCare livepatches for the CloudLinux 9 / AlmaLinux 9 family are now in the testing feed and are expected to reach the main feed within hours. Once they promote to the main feed, subscribed CloudLinux 9 servers receive them automatically on the next update cycle. Livepatches for the remaining affected CloudLinux families are still in preparation. To update, you may run:
kcarectl --update --prefix test
Jul 10, 2026 - 04:02 UTC
Monitoring - Patched kernels are available:
Patched CloudLinux kernels for CL7h and CL8 are in the beta/testing channel, and rollout to stable has started.
CL7h: kernel-4.18.0-553.141.2.lve.el7h or newer
CL8: kernel-4.18.0-553.141.2.lve.el8 or newer
AlmaLinux has published patched kernels to its testing repository.
CloudLinux 9 / AlmaLinux 9: kernel-5.14.0-687.23.2.el9_8 or newer
CloudLinux 10 / AlmaLinux 10: kernel-6.12.0-211.31.2.el10_2 or newer
Jul 09, 2026 - 12:11 UTC
Update -
GhostLock requires two fixes, shipped together: CVE-2026-43499 and CVE-2026-53166.
Both are required for a system to be considered patched.
All supported CloudLinux versions are affected — CL7, CL7h, CL8, CL8 LTS, CL9, CL9 LTS, CL10, and CloudLinux for Ubuntu 22.04 LTS. GhostLock's vulnerable range covers every kernel CloudLinux ships.
There is no practical runtime mitigation. The prerequisite CONFIG_FUTEX_PI is a build-time kernel option with no runtime switch, and it cannot be disabled on a running server without breaking the priority-inheritance mutexes applications depend on. There is no module to blacklist and no sysctl to set. Per-tenant sandboxing does not close it either - the trigger is the futex syscall, available to any local process. For containerized or sandboxed workloads only, a seccomp policy blocking FUTEX_LOCK_PI, FUTEX_WAIT_REQUEUE_PI and FUTEX_CMP_REQUEUE_PI reduces exposure.
The kernel update or KernelCare livepatch is the fix.
Patched kernels and KernelCare livepatches for all affected versions are being prepared. A KernelCare livepatch will be available as a no-reboot alternative on every affected version. Target kernel versions and patch IDs will be posted here as each release ships.
Once KernelCare livepatches are live, verify both fixes are present:
kcarectl --patch-info | grep -E 'CVE-2026-43499|CVE-2026-53166'
Do not use kcarectl --info | grep CVE — it returns empty output even on correctly patched systems.
Full advisory and per-platform update instructions: GhostLock (CVE-2026-43499) blog post.
Jul 09, 2026 - 11:57 UTC