Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks

Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks

Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks

https://securityaffairs.com/194868/security/januscape-16-year-old-linux-kvm-bug-enables-cloud-vm-escape-attacks.html

Publish Date: 2026-07-07 03:17:00

Source Domain: securityaffairs.com

Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks

Pierluigi Paganini
July 07, 2026

Januscape: A 16-year-old Linux KVM flaw lets cloud VM tenants crash hosts and potentially escape guests. It affects Intel and AMD systems.

Security researcher Hyunwoo Kim has published details of a use-after-free vulnerability in Linux’s KVM hypervisor that allows code running inside a guest virtual machine to corrupt host kernel memory. The bug, tracked as CVE-2026-53359 and named Januscape, has been sitting in the kernel since August 2010. It affects both Intel and AMD processors, which makes it the first publicly documented guest-to-host KVM exploit that works across both architectures.

Kernel-based Virtual Machine (KVM) is a virtualization technology built directly into the Linux kernel that allows one physical computer to run multiple independent virtual machines (VMs).

💥 Introducing “Januscape” (CVE-2026-53359)

A Guest-to-Host Escape in KVM/x86 exploiting a UAF in the shadow MMU. Triggerable on both Intel and AMD hosts. Threatens x86 public clouds (GCP, AWS) that expose nested virtualization.

“16 years” latent. Successfully used as a… pic.twitter.com/UHVC6Tg3Nm

— V4bel (@v4bel) July 6, 2026

Kim used it as a zero-day submission in Google’s kvmCTF program, which offers up to $250,000 for full guest-to-host escapes. The public proof-of-concept reliably panics the host kernel. A separate, complete exploit that achieves code execution on the host exists but hasn’t been released. Kim says that one is planned for the distant future.

KVM maintains its own internal set of page tables to track a guest’s memory layout. When it needs one of these tracking pages, it looks for an existing one to reuse. The problem is that it matched candidates by memory address alone and ignored the type of tracking page it was grabbing.

“Januscape is a use-after-free vulnerability…

Source