TheCyberExpress

CVE-2026-53359: Januscape Linux KVM Flaw Enables VM Escape


A newly disclosed Linux kernel vulnerability, CVE-2026-53359, dubbed Januscape, has exposed a critical weakness in the Linux Kernel-based Virtual Machine (KVM) hypervisor. The flaw resides in the shadow MMU code and allows attackers to escape a virtual machine (VM), compromise the underlying host, and potentially execute arbitrary code. 

Security researchers warn that the issue poses a serious risk to multi-tenant x86 public cloud environments running untrusted guests with nested virtualization enabled. 

Januscape Flaw Affects KVM Shadow MMU Code 

Discovered by security researcher Hyunwoo Kim (@v4bel), CVE-2026-53359 is described as a use-after-free vulnerability in the KVM/x86 shadow MMU code. According to Kim, the flaw can be triggered entirely from within a guest VM to corrupt the host kernel’s shadow page state, ultimately breaking guest-to-host isolation.

Kim demonstrated Januscape as a zero-day during Google’s KVMCTF bug bounty program, which offers rewards of up to $250,000 for complete VM escape vulnerabilities. The researcher noted that this is the first publicly known KVM guest-to-host exploit research that can be triggered on both Intel and AMD systems, rather than being limited to a single architecture.

CVE-2026-53359 impact and affected systems 

Successful exploitation of Januscape can result in complete compromise of the host. Kim explained, “An attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE).” 

In addition to VM escape, CVE-2026-53359 can enable local privilege escalation on certain Linux distributions. On systems such as Red Hat Enterprise Linux (RHEL), where /dev/kvm is world-writable (0666), unprivileged users may escalate privileges to root. 

The vulnerability requires root privileges inside the guest VM, which public cloud users typically receive by default. If root access is unavailable, Kim said attackers could chain the flaw with another privilege escalation vulnerability, such as Dirty Frag. 

Patch availability and disclosure timeline 

According to the official GitHub advisory, Januscape remained hidden in the Linux kernel for roughly 16 years. The affected code spans the commit from 2032a93d66fa (August 1, 2010) through 81ccda30b4e8 (June 16, 2026). The issue was patched in the mainline Linux kernel on June 19, 2026, when commit 81ccda30b4e8 was merged. 

The advisory states that a proof-of-concept (PoC) executed inside a guest VM can reliably trigger a host’s kernel panic within seconds or minutes. While a full VM escape exploit exists in a controlled environment, it has not been publicly released. Following coordinated disclosure through [email protected] and the end of the agreed embargo, the exploit details were published on oss-security along with technical documentation. 

The advisory also clarifies that CVE-2026-53359 affects only Intel and AMD-based KVM hosts, not arm64 systems. It further notes that the vulnerability exists within KVM’s in-kernel MMU code, making it independent of QEMU’s emulation and potentially impacting cloud providers using custom virtualization stacks. Administrators running multi-tenant x86 KVM hosts with nested virtualization are advised to ensure the 81ccda30b4e8 patch has been applied. 



Source link