On July 7, 2026, the High Severity Linux kernel vulnerability CVE-2026-43499 (aka “GhostLock”) was disclosed, which could allow a user already running code on a system to gain elevated access and potentially escape container isolation. In response, our engineering team began an Emergency Maintenance on July 9 at 21:00 UTC to roll out patched kernel images across the potentially vulnerable parts of our fleet.
In order to exploit CVE-2026-43499, an attacker must already have the ability to run code on the affected system. By carefully choreographing threads to trigger a race in the remove_waiter() function, an unprivileged user can reclaim freed kernel stack memory and redirect kernel execution to gain root access on the machine. This can allow an attacker to escape container isolation and gain access to the host. The CVSS severity score for this vulnerability is 7.8 out of 10 (High). As of this writing, we have no evidence that this vulnerability has been exploited in any part of the CircleCI infrastructure.
Docker jobs: No Action Required
Docker jobs run on a shared Linux fleet where kernel-level isolation forms the security boundary between customers. The Emergency Maintenance rollout of patched kernel images is in progress and this post will be updated when complete. No action is required on your part.
Machine executor jobs: No Action Required
Machine executor jobs already run with root access by design, so this vulnerability does not expose data or credentials beyond the access that your build already has. Each VM is yours alone for the duration of a job and is destroyed when the job ends, so this vulnerability cannot carry over between jobs or customers.
Even so, the Emergency Maintenance rollout of patched kernel images is in progress and this post will be updated when complete. No action is required on your part.
‘Self-hosted’ Runners: Patch Your Host Machines
If you use CircleCI Runners on a vulnerable Linux version, you will need to immediately patch your host machines according to your Linux distribution provider’s guidance. CircleCI does not distribute any images for Runners, so there are no CircleCI updates to Runner binaries.
A note on vulnerability scanners
If you’re running a vulnerability scanner inside your job, it may temporarily flag the current kernel version as unpatched. That’s accurate and expected, and will clear once updated kernel images are fully deployed across the CircleCI infrastructure. In the meantime, you can reference this post to document the exception in your security tooling.
Updates
July 9, 2026, 21:00 UTC - Patched kernel rollout in progress across Docker executor and Machine executor fleets. This post will be updated when the rollout is complete.
July 10, 2026, 5:04 UTC - We have completed the kernel upgrades across all the infrastructure used to run Docker jobs. Our monitoring shows Docker job execution is working as normal.
During the maintenance, a small number of jobs were forcibly canceled as machines were upgraded. These jobs will have an “Infrastructure Fail” status in the CircleCI UI. You can rerun Infrastructure Fail jobs from the UI or pushing to your VCS brach.
Thank you for your patience during this maintenance.