GhostLock (CVE-2026-43499) Local Root Exploit

Incident Report for CloudLinux

Monitoring

Patched kernels are available:
Patched CloudLinux kernels for CL7h and CL8 are in the beta/testing channel, and rollout to stable has started.
CL7h: kernel-4.18.0-553.141.2.lve.el7h or newer
CL8: kernel-4.18.0-553.141.2.lve.el8 or newer
AlmaLinux has published patched kernels to its testing repository.
CloudLinux 9 / AlmaLinux 9: kernel-5.14.0-687.23.2.el9_8 or newer
CloudLinux 10 / AlmaLinux 10: kernel-6.12.0-211.31.2.el10_2 or newer
Posted Jul 09, 2026 - 12:11 UTC

Update

GhostLock requires two fixes, shipped together: CVE-2026-43499 and CVE-2026-53166.
Both are required for a system to be considered patched.

All supported CloudLinux versions are affected — CL7, CL7h, CL8, CL8 LTS, CL9, CL9 LTS, CL10, and CloudLinux for Ubuntu 22.04 LTS. GhostLock's vulnerable range covers every kernel CloudLinux ships.

There is no practical runtime mitigation. The prerequisite CONFIG_FUTEX_PI is a build-time kernel option with no runtime switch, and it cannot be disabled on a running server without breaking the priority-inheritance mutexes applications depend on. There is no module to blacklist and no sysctl to set. Per-tenant sandboxing does not close it either - the trigger is the futex syscall, available to any local process. For containerized or sandboxed workloads only, a seccomp policy blocking FUTEX_LOCK_PI, FUTEX_WAIT_REQUEUE_PI and FUTEX_CMP_REQUEUE_PI reduces exposure.

The kernel update or KernelCare livepatch is the fix.

Patched kernels and KernelCare livepatches for all affected versions are being prepared. A KernelCare livepatch will be available as a no-reboot alternative on every affected version. Target kernel versions and patch IDs will be posted here as each release ships.

Once KernelCare livepatches are live, verify both fixes are present:
kcarectl --patch-info | grep -E 'CVE-2026-43499|CVE-2026-53166'
Do not use kcarectl --info | grep CVE — it returns empty output even on correctly patched systems.

Full advisory and per-platform update instructions: GhostLock (CVE-2026-43499) blog post.
Posted Jul 09, 2026 - 11:57 UTC

Investigating

Patched kernels and KernelCare livepatches for affected CloudLinux versions are being prepared. For more details, please check: https://blog.cloudlinux.com/ghostlock-cve-2026-43499-local-root-exploit-kernel-update-for-cloudlinux/
Posted Jul 08, 2026 - 18:40 UTC
This incident affects: CloudLinux OS Components (CloudLinux Kernel).