SecurityWeek

Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems


A newly disclosed Linux kernel vulnerability can be exploited to escape virtual machines (VMs) and execute code on the underlying host, security researchers warn.

Tracked as CVE-2026-53359 and referred to as Januscape, the security defect impacts the shadow MMU code in Linux Kernel-based Virtual Machine (KVM) hypervisor.

The guest-to-host vulnerability poses a major threat to multi-tenant x86 public clouds running untrusted guests and exposing nested virtualization. It is known to be the first KVM exploit that can be triggered on both Intel and AMD architectures.

The flaw was discovered by security researcher Hyunwoo Kim (@v4bel), who demonstrated it as a zero-day in Google kvmCTF, the bug bounty program that works like a CTF event and offers up to $250,000 for full VM escape weaknesses.

According to Kim, the vulnerability is a use-after-free vulnerability that can be triggered from the VM to corrupt the shadow page state of the host’s kernel.

Successful exploitation of Januscape, the researcher explains, can lead to the full compromise of the host on which the VM is running.

Advertisement. Scroll to continue reading.

“For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE),” Kim explains.

On certain Linux distributions, such as Red Hat Enterprise Linux (RHEL), the security defect can be exploited by unprivileged users to escalate their privileges to root.

Januscape’s exploitation requires root privileges on the guest machine, which is typically available by default when a user is allocated a VM instance on a public cloud. If root access is not available, an attacker could chain the flaw with a privilege escalation bug, such as Dirty Frag, Kim says.

CVE-2026-53359 stayed dormant in the Linux kernel for 16 years. It was patched in mainline on June 19, when commit 81ccda30b4e8 was merged.

Related: Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Related: ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access

Related: Organizations Warned of Exploited Linux Kernel Vulnerability

Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access



Source link