16-year-old KVM flaw allows attackers to escape VMs and take over Linux servers
16-year-old KVM flaw allows attackers to escape VMs and take over Linux servers
Publish Date: 2026-07-07 17:55:00
Source Domain: www.csoonline.com
A critical vulnerability in the Kernel-based Virtual Machine (KVM) module of the Linux kernel allows attackers with root access in a guest VM to execute arbitrary code on the host system. This violates the most important security boundary that cloud providers and enterprises rely on to isolate sensitive processes on servers.
The vulnerability, tracked as CVE-2026-53359, stems from a use-after-free memory bug in the shadow MMU emulation of KVM on x86 CPU architecture. According to Hyunwoo Kim, the researcher who discovered it, the flaw has been present in the Linux kernel code for the past 16 years and is the first KVM guest-to-host escape vulnerability that works on both Intel and AMD CPUs.
Hyunwoo dubbed the flaw Januscape and reported it through Google’s kvmCTF, a vulnerability reward program that pays up to $250,000 for a full VM escape demonstrated in KVM, which Google uses in Google Cloud as well as Android infrastructure.