GhostLock, a stack-UAF that has existed in all Linux distributions for 15 years
120 points by ranger_danger 5 days ago | 38 comments
UAF = Use After Free (https://en.wikipedia.org/wiki/Dangling_pointer)

goodburb 2 days ago
Tested on three Android devices (version 9, 13, 16) with different Firefox versions under 150 (had to modify for older).

Two boot looped, I had to enter recovery and the other just powered off [0].

The demo modifies the wallpaper on supported Pixel devices.

[0] IonStack https://rootme.nebusec.ai

____

Tip: Install a Chromium flavor browser (Chromite) separate from the main browser.

Disable Javascript and hardware accelerated video decoder (commonly exploited) from the flags page and enable reader mode to fix broken JS-dependent websites when browsing blogs and random sites on your personal devices, else dedicate a tablet.

reply
etenal 23 minutes ago
Thanks for testing, we currently only tested it on Pixel 10, but there are a few people on our repo creating PR to support other devices, you can take a look here https://github.com/NebuSec/CyberMeowfia
reply
Chu4eeno 2 days ago
fwiw, the firefox vulnerability seems to be CVE-2026-10702 (type confusion in the ionmonkey jit compiler): https://www.sentinelone.com/vulnerability-database/cve-2026-...
reply
password4321 3 days ago
Forgot to include "LPE" (local...) in the title so most of us can get back to weekending.
reply
circularfoyers 2 days ago
Since this enables container escape, sounds like this might still impact quite a lot of us?
reply
password4321 2 days ago
I guess, if you thought Docker/etc. was a security boundary
reply
hollerith 2 days ago
A lot of us rely on Linux containers' being escape-proof?

I would have hoped that only a few of us are so misinformed as to do that.

reply
Chu4eeno 2 days ago
they also found a type confusion in firefox/ionmonkey, so you can go from random website to pwned very quickly.
reply
amatecha 3 days ago
Daaaaamn: "GhostLock was introduced in Linux 2.6.39 and fixed in Linux 7.1."
reply
alexjplant 22 minutes ago
> This is the same shape as many other life-cycle bugs [...]

Claude-ism detected. According to it an object does not have a type or definition, apparently, but rather a shape (or at least it reaches for that word before more technically-accurate ones). Problems are not of a similar class or type, but of the same shape. Functions are not defined by their signatures but by their shape. Who talks like this and how did it make its way into the training data so pervasively?

reply
teleforce 3 days ago
>Google has rewarded us $92,337 in kernelCTF

I'm all ears now

reply
mrbluecoat 3 days ago
Seems low considering the wide impact, but maybe the only thing corporations throw big money at is remote exploits?
reply
tptacek 2 days ago
That's a huge amount of money for a vulnerability.
reply
mixmastamyk 3 days ago
A what?
reply
happymellon 3 days ago
Use after free?
reply
dang 2 hours ago
Thanks! I've put that in the toptext now.
reply
teo_zero 2 days ago
I'm glad someone else asked. :)

It's not so widely used and it's not explained in the first couple screenfuls of TFA (which by itself is weirdly structured, taking entire paragraphs to explain when it was introduced, when it was discovered, etc. before even explaining what it actually is).

Of course the title was chosen when the article was first published on a site dedicated to security, where probably everyone knows it. This suggests that insisting on unmodified titles when republishing in HN is a poor rule.

reply
lkirkwood 2 days ago
Not that everyone should know it but it's definitely widely used. A Google search for "stack UAF" also turns it up.
reply
Uptrenda 27 minutes ago
Has anyone in infosec ever seen the term "use after free" before LLMs? Or is this basically an acronym claude invented? I say this because I see claude use this term all the time like its common knowledge but in 15+ years in tech never seen it myself. I've seen all kinds of terms used to describe memory errors: memory corruption, heap corruption, stack corruption, whatever, just never this acronym.
reply
mirashii 21 minutes ago
This is and has been a common term in any systems programming concept for decades. You can, for example, search CVEs and easily find some from over 15 years ago: https://www.cve.org/CVERecord?id=CVE-2010-1119

It was even enumerated in the first pass of CWE as CWE-416 in 2006.

reply
LPisGood 22 minutes ago
Yes, it was a common attack vector in binary exploitation. Heap based attack vector like use after free, double free, heap overflows, and others are pretty neat. They force you to learn a lot about how malloc works.

There is a lot of cool work that went into making memory allocation work well; the different arenas, fast bins, chunk headers, etc. are super cool.

reply
michaellee8 24 minutes ago
if you have spend any amount of time in low level c vulnerabilities you will have heard about it, it is a very common time on the low level/cybersec space.
reply
paulv 24 minutes ago
It has been a known bug class for quite some time.
reply
mdkotlik 24 minutes ago
yes, it’s a very common term in infosec. I haven’t heard the “UAF” acronym before though
reply
asveikau 18 minutes ago
I haven't really seen it as an acronym "UAF", but I can't recall the first time I heard "use after free". It was probably in the previous century.

The idea that Claude came up with it is ridiculous.

reply
abofh 25 minutes ago
[flagged]
reply
dang 4 minutes ago
Please don't be snarky or cross into putdowns or personal attack. We're all in (let's call it) the unlucky 10,000 about something. About most things actually.

https://news.ycombinator.com/newsguidelines.html

reply
defrost 10 minutes ago
I can see that you're old and that I'm older, but I fail to see the justification for being snarky about that.

  Please don't sneer, including at the rest of the community.
~ https://news.ycombinator.com/newsguidelines.html
reply
abofh 8 minutes ago
[flagged]
reply
defrost 6 minutes ago
And a wrong justifies a wrong?

These are the times we make.

reply
abofh 4 minutes ago
[flagged]
reply
LastTrain 15 minutes ago
There is an interesting episode of This American Life about how everyone, everyone, has weird gaps in their knowledge that eventually get filled in sometimes fun or humiliating ways. You have these too.
reply
dang 3 minutes ago
Wow, what is that episode? I haven't listened to TAL in probably more than a decade but I'd have a go at that one
reply
Uptrenda 19 minutes ago
[flagged]
reply
dang 2 minutes ago
I understand the response (hence https://news.ycombinator.com/item?id=48887373) but please don't react by breaking the site guidelines yourself. That only makes things worse.

https://news.ycombinator.com/newsguidelines.html

reply
abofh 11 minutes ago
[flagged]
reply
Uptrenda 7 minutes ago
Nah, I just find your clownish attempts at status games to be pathetic.
reply