16-Year-Old Linux KVM Flaw Allows VM Escape
A critical use-after-free vulnerability has been discovered in Linux's Kernel-based Virtual Machine (KVM) hypervisor, allowing guest virtual machines to escape to the host system. This flaw, dubbed 'Januscape' and assigned CVE-2026-53359, has reportedly existed for 16 years and affects both Intel and AMD x86 architectures. The vulnerability resides within the shared shadow MMU code used by KVM. When triggered from a guest VM, it corrupts the shadow-page state of the host kernel, which is responsible for managing memory access.
The public proof-of-concept exploit for Januscape has been demonstrated to cause a host panic, indicating a severe disruption of the host system's stability. While the public exploit leads to a denial-of-service condition, the researcher who identified the flaw claims that a separate, unreleased exploit exists which could potentially allow for arbitrary code execution on the host. This implies a more significant security risk beyond system instability.
The discovery highlights a long-standing weakness within a core component of Linux virtualization. KVM is a widely used hypervisor, integrated directly into the Linux kernel, making this vulnerability a significant concern for cloud providers, enterprise users, and individuals running virtual machines on Linux. The extended period the flaw remained undetected underscores the challenges in securing complex software systems and the importance of ongoing security audits and vulnerability research.
Original source — read the full reporting at the publisher:
Read on The Hacker News