AI Discovers 15-Year-Old Linux Root Bug Missed by Humans
AI-driven bug-hunting tool VEGA finds a 15-year-old Linux kernel bug allowing any logged-in user to gain root access on an unpatched machine.

Nebula Security has published exploit code for GhostLock (CVE-2026-43499), a use-after-free bug that sat in the Linux kernel for 15 years and lets any logged-in user take root on an unpatched machine, according to SecurityWeek and The Hacker News. The flaw shipped by default in essentially every mainstream distribution since 2011 and needs no special permissions or network access. Nebula's exploit escapes containers and was 97 percent reliable in testing.
It earned a $92,337 payout through Google's kernelCTF program. It was fixed in April, but patch availability is uneven; Ubuntu, as of early July, still listed 24.04, 22.04, and 20.04 LTS as vulnerable or in progress, so defenders should confirm the fixed package rather than assume one is waiting. Nebula found the bug with VEGA, its AI-driven bug-hunting tool, part of a 2026 run of Linux privilege-escalation flaws surfaced by automated tools combing old kernel code few had reread in years.
ICE's internal oversight group, the Office of Professional Responsibility, has begun investigating online critics of the agency, opening more than 100 cases looking at what ICE officials call "incidents of doxing and threats" against agency employees. And in the European Union, tech companies will be able to scan citizens' personal texts, emails, and social media messages again because of renewed powers in the "Chat Control" bill aimed at curbing online child abuse material. The European Parliament voted to extend the legislation despite a majority of lawmakers voting against the proposal.
WIRED revealed more about the Madison Square Garden surveillance landscape this week with revelations that MSG kept a database categorizing hundreds of celebrities, prominent Knicks superfans, and even some Taylor Swift wedding guests using labels that included "LGBTQIA," "DO NOT HOST," and low to high "risk." And new research this week shows that a wave of government website hijacks in which scammers promise "leaked" OnlyFans content are being stymied by thousands of copyright complaints from adult content creators, helping keep people safe by getting the malicious links taken down. The Pentagon opened applications this week for Cyber RAP, a paid apprenticeship that recruits people with no cyber degree or experience—just the aptitude to learn—into 12-month, full-time gigs learning to guard the department's networks, according to DefenseScoop. The US military's CIO, Kirsten Davies, pitched it as ditching "academic gatekeeping" for "raw aptitude, patriotic drive, and hands-on capability." But the pay is an abysmal $22,584 a year, and those who wash out will owe the government back for the training.
That's the deal for building talent in-house. The other option on the table is renting it. A provision in the Senate Armed Services Committee's FY2027 defense bill would let defense secretary Pete Hegseth spin up a pilot to run cyber operations through "contractor-owned, contractor-operated means"—a government-blessed hacker-for-hire crew, GovInfoSecurity reports.
Source: Wired