Qurated: GhostLock, a stack-UAF that has existed in all Linux distributions for 15 years
GhostLock: The 15-Year-Old Bug That Redefines "Stable"
The single most important insight here isn't the bug itself — it's what it proves: age is not evidence of safety. GhostLock sat in every major Linux distribution for a decade and a half, surviving countless audits, hardening efforts, and "battle-tested" claims. If a stack-based Use-After-Free can hide in the most scrutinized open-source kernel on Earth for 15 years, no codebase is exempt from this risk — including yours.
What Actually Happened
A stack-UAF occurs when a pointer to stack memory outlives the function call that created it. The stack frame gets reused, the pointer still points to that address, and now you're reading or writing to memory that belongs to something else entirely. GhostLock is that pattern, quietly embedded in a locking primitive used across the Linux ecosystem — infrastructure so foundational that nobody thought to re-examine it.
The bug wasn't found because someone spotted broken behavior. It was found because someone stopped assuming the primitive was correct.
The Mental Model: Trust Decay
Treat every dependency's trustworthiness as a decaying function, not a fixed value:
- Age ≠ audited. Longevity often means "not exploited yet," not "verified safe."
- Ubiquity ≠ scrutiny. The more universal a component, the more everyone assumes someone else checked it.
- Silence ≠ security. No CVEs isn't proof of absence — it's proof of absence of discovery.
This is the inverse of the Lindy Effect. In security, survival time doesn't predict future survival — it predicts how large the blast radius will be when the bug finally surfaces.
Actionable Takeaways
- Audit your "boring" dependencies first. The exciting, actively-developed code gets scrutiny by default. The stable, unglamorous locking/memory primitives don't. Start there.
- Hunt for stack-lifetime violations specifically. Ask: does any pointer here outlive the stack frame that created it? This is a mechanical, teachable check — not a matter of intuition.
- Assume core primitives have unknown UAFs. Not as paranoia, but as a baseline posture. Build memory-safety tooling (ASan, KASAN, Rust rewrites of critical paths) around the assumption that even "solved" code has latent flaws.
- Reward negative results. The engineering culture that rewards "I found nothing wrong" audits is the one that eventually finds GhostLock. If your team only celebrates found bugs, you're incentivizing people to skip the deep, unglamorous review.
The Uncomfortable Question
If a bug like this can live undetected in Linux — arguably the most reviewed piece of software in existence — what's living undiscovered in your infrastructure right now? Not your new features. Your foundations. The stuff you stopped looking at because it's "done."
Discussion prompt: What's the oldest, least-touched component in your stack that you'd bet money is still secure? Now ask yourself why you're so confident — and whether that confidence is earned or inherited.