Home/News/Google Pays $250K for Linux KVM VM Escape Vulnerability
Ars Technica2 min read

By Interestana AI Editorial — AI-drafted, human-overseen. How we report

Google Pays $250K for Linux KVM VM Escape Vulnerability

Google Pays $250K for Linux KVM VM Escape Vulnerability

Google awarded $250,000 this week for the discovery of a critical Linux vulnerability, tracked as CVE-2026-53359, that allows untrusted virtual machines to achieve root access on host machines. This flaw resides within KVM (Kernel-based Virtual Machine), a virtualization infrastructure integrated into the Linux kernel. The vulnerability enables guest virtual machines, commonly used in cloud platforms for user isolation, to break out of their designated containers and access the host operating system.

The exploit targets bugs within the KVM guest-side components, which include resources specific to the guest VM, such as its operating system and drivers, rather than host machine resources. This security flaw remained undetected in the Linux kernel for 16 years. The vulnerability affects KVM implementations running on both AMD and Intel processors, posing a significant threat to cloud platforms that rely on KVM for secure multi-tenancy.

The discovery and subsequent reward highlight the ongoing efforts in identifying and mitigating high-severity security risks within widely used open-source software. The $250,000 payout underscores the substantial value placed on uncovering such deep-seated vulnerabilities that could have far-reaching implications for cloud infrastructure security.

Original source — read the full reporting at the publisher:

Read on Ars Technica

Get the weekly AI digest

AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.

Read next