An artificial intelligence tool has uncovered a vulnerability in the Linux kernel that allows any local user to obtain root access in under five seconds. The flaw, named GhostLock (CVE-2026-43499), went 15 years undetected by human reviewers and affects virtually every Linux distribution since 2011.

The discovery was made by VEGA, an AI agent developed by Nebula Security that scans code for security flaws, as Wired reported on July 11. GhostLock is a use-after-free bug in the kernel's futex mechanism, a piece of code dating to 2011 that few human reviewers had examined in depth. The flaw allows anyone with a local account, without special permissions, to escalate to full administrator privileges and escape containers. In Mexico, Linux underpins banking servers, government platforms, telecommunications infrastructure, and the billions of Android devices the community uses daily.

Nebula Security reported the flaw to the Linux kernel security team on April 18, 2026. The fix was integrated two days later and backported to stable kernel branches in May, according to the technical record published on the OSS-Sec mailing list and detailed by The Hacker News. The exploit developed by the researchers has a 97 percent success rate in laboratory tests and takes approximately five seconds to execute. Google, through its kernelCTF vulnerability bounty program, awarded $92,337 to the Nebula Security team for the discovery. GhostLock is not the only finding of this kind in 2026: Anthropic's Mythos model was credited with discovering a related flaw in the same region of the code, confirming that automated tools are surfacing vulnerabilities that generations of human reviewers missed.

The finding marks an inflection point in software auditing: AI tools are finding what decades of manual review could not. With Linux as the foundation of the digital infrastructure used by millions across North America, the security community recommends applying patches without delay.

This article was written with AI assistance from verified sources and reviewed by a human editor before publication.