Sunday, July 12, 2026
BCN.
Technology

A 16-year-old Linux KVM bug lets a guest VM escape and crash the whole host on Intel and AMD

Januscape (CVE-2026-53359) abuses shadow-MMU page reuse; the public PoC panics the host, and the researcher claims an unreleased version runs code as root.

Janet Torvalds

July 12, 2026

A guest virtual machine on a shared x86 host is supposed to be a sealed box. You rent it, you get root inside it, and whatever you do stays inside your slice of the machine. A bug called Januscape breaks that assumption. From inside a guest, it corrupts the memory bookkeeping of the Linux KVM hypervisor running underneath, and the public proof-of-concept uses that to crash the entire host, taking every other tenant on the same physical machine down with it.

The flaw is tracked as CVE-2026-53359. Security researcher Hyunwoo Kim, who posts as @v4bel, found and reported it. He describes Januscape as the first guest-to-host exploit that fires on both Intel and AMD, and the vulnerable code has been sitting in the kernel for about 16 years.

Where the bug lives

KVM keeps its own private set of page tables that shadow the guest's memory layout. When it needs one of these tracking pages, it looks for an existing one to reuse instead of allocating a fresh one.

The mistake is in how it decides two pages are the same. KVM matched them by memory address alone and ignored the page's type. Two tracking pages can share an address while doing completely different jobs, so KVM would sometimes grab the wrong kind. That scrambles its records of which page belongs where, and it is a use-after-free: the kernel ends up reusing a tracking page it has already let go of.

Most of the time the kernel notices the damage and shuts itself down on the spot. That deliberate crash is what the public demo triggers, and it is why a single guest can knock over the whole host.

The worse case is rarer. If the freed tracking page gets handed out for something else before the kernel finishes cleaning up, the cleanup writes a value into memory KVM no longer owns. The attacker controls where that write lands but not what gets written. That is a narrow foothold, but Kim says he has a separate, unreleased exploit that works it up into running code as root on the host. He reported it as a zero-day to Google's kvmCTF, the program that pays up to $250,000 for a full guest-to-host escape.

What has to be true to get hit

Two conditions. The attacker needs root inside the guest, which is normal on a rented cloud instance you control, and the host has to expose nested virtualization.

That second one is the important detail. Modern hosts run hardware-assisted page tables (Intel's EPT, AMD's NPT) by default, and the buggy shadow-MMU code does not run in that path. But turn on nested virtualization and KVM falls back to the legacy shadow MMU, which is exactly where the bug sits. So the exposure is narrower than "every KVM host." It is specifically x86 hosts running untrusted guests with nested virtualization enabled.

The exploit is purely in-kernel. It needs no help from QEMU or any userspace component.

Patch status

The vulnerable code dates to a commit from August 2010, kernel 2.6.36 era. KVM maintainer Paolo Bonzini wrote the fix, a one-line change to the page-reuse logic so a shadow page is only recycled when both the frame number and the role match. It merged to mainline on June 19, 2026.

Fixed stable kernels shipped on July 4, 2026: 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, and 5.10.260. NVD has not assigned a CVSS score yet, which is not a reason to wait.

If you run x86 KVM hosts that take multi-tenant guests with nested virtualization, confirm your kernel carries commit 81ccda30b4e8. Distribution backports often ship the fix under their own version numbers, so read the package changelog rather than trusting uname -r. If you cannot patch right away, turning off nested virtualization (kvm_intel.nested=0 or kvm_amd.nested=0) closes the attack path. ARM64 hosts are not affected by this one.

The pattern worth noticing

Januscape is Kim's third Linux kernel exploit in about two months. In May he published Dirty Frag, a page-cache write chain that gives deterministic root on most major distributions. In June came ITScape, a guest-to-host escape on KVM's ARM64 path. Januscape covers x86.

The KVM angle is the part to sit with. This is the second shadow-MMU use-after-free found in that same legacy code path in two months. CVE-2026-46113, a related but distinct rmap mismatch, was fixed in May. Google stood up kvmCTF in 2024 precisely because KVM sits under both Android and Google Cloud, and the program is now doing what it was built to do: surfacing old, deep bugs in code most people assumed had been picked over years ago. Sixteen years is a long time for a guest-to-host primitive to go unnoticed in something this heavily used. It is a good argument that "mature and widely deployed" is not the same as "audited."

CVE-2026-53359shadow MMUVirtualizationguest-to-host escapenested virtualizationkvmCTFHyunwoo KimKVMLinux kernelCybersecurityLinux KVMuse-after-freeJanuscape

Keep reading