
  <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
    <channel>
      <title>Chaos and Order</title>
      <link>https://www.youngju.dev/blog</link>
      <description>천천히 올바르게. AI Researcher &amp; DevOps Engineer Youngju&#39;s tech blog. GPU/CUDA, LLM, MLOps, Kubernetes AI workloads, distributed training, and data engineering.</description>
      <language>ko</language>
      <managingEditor>fjvbn2003@gmail.com (Youngju Kim)</managingEditor>
      <webMaster>fjvbn2003@gmail.com (Youngju Kim)</webMaster>
      <lastBuildDate>Sat, 11 Jul 2026 00:00:00 GMT</lastBuildDate>
      <atom:link href="https://www.youngju.dev/tags/privilege-escalation/feed.xml" rel="self" type="application/rss+xml"/>
      
  <item>
    <guid>https://www.youngju.dev/blog/2026-07-11-ghostlock-linux-uaf.en</guid>
    <title>GhostLock: a stack use-after-free that hid in Linux rtmutex for 15 years (CVE-2026-43499)</title>
    <link>https://www.youngju.dev/blog/2026-07-11-ghostlock-linux-uaf.en</link>
    <description>GhostLock (CVE-2026-43499) is a stack use-after-free in the Linux kernel&#39;s real-time mutex code that, per the nebusec.ai IonStack part II writeup, sat in mainline from 2.6.39-rc1 in 2011 until a fix in April 2026 — about fifteen years. The cause is small: remove_waiter() assumed the running thread was the waiter it was cleaning up, and the requeue-PI path quietly broke that assumption. This post explains what a stack use-after-free is and why it is subtle, how a bug this small hides that long, and — measured, not alarmist — what GhostLock actually requires to exploit. It is local privilege escalation, not remote code execution, though the public exploit reports 97% stability. The practical takeaway is to patch: the fix was backported to stable on 2026-05-04.</description>
    <pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate>
    <author>fjvbn2003@gmail.com (Youngju Kim)</author>
    <category>linux-kernel</category><category>security</category><category>use-after-free</category><category>privilege-escalation</category><category>rtmutex</category><category>cve</category>
  </item>

  <item>
    <guid>https://www.youngju.dev/blog/2026-07-11-ghostlock-linux-uaf.ja</guid>
    <title>GhostLock — Linuxのrtmutexに15年潜んでいたスタックuse-after-free(CVE-2026-43499)</title>
    <link>https://www.youngju.dev/blog/2026-07-11-ghostlock-linux-uaf.ja</link>
    <description>GhostLock(CVE-2026-43499)は、Linuxカーネルのリアルタイムミューテックス(rtmutex)コードにあったスタックuse-after-freeです。nebusec.aiのIonStack第2部の分析によれば、この欠陥は2011年の2.6.39-rc1から2026年4月の修正まで、およそ15年間メインラインに残っていました。原因は小さく、remove_waiter()が後始末する対象のwaiterを常に現在のスレッドだと仮定していたのを、requeue-PIの経路が静かに破っていました。本稿では、スタックuse-after-freeとは何でなぜ厄介なのか、そうしたバグがどうやって15年も潜むのか、そして誇張抜きで、この欠陥を実際に悪用するには何が必要かを整理します。リモートコード実行ではなくローカル権限昇格ですが、公開された実証コードは97%の安定性を報告しています。実務的な結論はパッチで、修正は2026年5月4日にstableへバックポートされました。</description>
    <pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate>
    <author>fjvbn2003@gmail.com (Youngju Kim)</author>
    <category>linux-kernel</category><category>security</category><category>use-after-free</category><category>privilege-escalation</category><category>rtmutex</category><category>cve</category>
  </item>

  <item>
    <guid>https://www.youngju.dev/blog/2026-07-11-ghostlock-linux-uaf</guid>
    <title>GhostLock: 리눅스 rtmutex에 15년을 숨어 있던 스택 use-after-free (CVE-2026-43499)</title>
    <link>https://www.youngju.dev/blog/2026-07-11-ghostlock-linux-uaf</link>
    <description>GhostLock(CVE-2026-43499)은 리눅스 커널의 실시간 뮤텍스(rtmutex) 코드에 있던 스택 use-after-free다. nebusec.ai의 IonStack 2부 분석에 따르면 이 결함은 2011년 2.6.39-rc1부터 2026년 4월 패치까지 약 15년간 메인라인에 남아 있었다. 원인은 작다 — remove_waiter()가 정리 중인 waiter를 늘 현재 스레드라고 가정했는데, requeue-PI 경로가 그 가정을 조용히 깨뜨렸다. 이 글은 스택 use-after-free가 무엇이고 왜 미묘한지, 그런 버그가 어떻게 15년을 숨는지, 그리고 과장 없이 이 결함을 실제로 익스플로잇하려면 무엇이 필요한지를 정리한다. 원격 코드 실행이 아니라 로컬 권한 상승이지만, 공개된 익스플로잇은 97% 안정성을 보고한다. 실무 결론은 패치다 — 수정은 2026년 5월 4일 stable로 백포트됐다.</description>
    <pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate>
    <author>fjvbn2003@gmail.com (Youngju Kim)</author>
    <category>linux-kernel</category><category>security</category><category>use-after-free</category><category>privilege-escalation</category><category>rtmutex</category><category>cve</category>
  </item>

    </channel>
  </rss>
