16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems
https://thehackernews.com/2026/07/16-year-old-linux-kvm-flaw-lets-guest.html
Publish Date: 2026-07-06 13:37:00
Source Domain: thehackernews.com
A use-after-free bug in Linux’s KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it.
Dubbed ‘Januscape’ and tracked as CVE-2026-53359, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD. The public proof-of-concept panics the host; the researcher claims that a separate, unreleased exploit turns the same bug into full host code execution.
Security researcher Hyunwoo Kim (@v4bel) found and reported the bug. He described Januscape as the first guest-to-host exploit triggerable on both Intel and AMD, to the best of public knowledge. The flaw went unnoticed for roughly 16 years.
According to Kim, the exploit was used as a zero-day submission in Google’s kvmCTF, the controlled KVM vulnerability reward program that offers up to $250,000 for full guest-to-host escapes.
How It Works
To run a virtual machine, KVM keeps its own private set of page tables that mirror the guest’s memory layout. When it needs one of these tracking pages, it looks for an existing one to reuse.
The problem: it matched them by memory address alone and ignored what type of tracking page it was grabbing. Two different types can share the same address but do completely different jobs, so KVM would sometimes reuse the wrong kind.
That mix-up scrambles KVM’s internal records of which page belongs where, and once those records are wrong, something has to give.
Most of the time, the kernel notices the mess and shuts itself down on the spot to avoid doing damage. That crash is what the public demonstration triggers: a guest can knock over the whole host, taking every other VM on that machine down with it.
The rarer, worse case happens when the freed tracking page gets handed out for another use before the kernel cleans up. The cleanup then scribbles a value into memory it no longer owns. An attacker only controls where that write lands, not what gets written, but even that limited foothold…