The Hacker News

16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems

A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. Dubbed "Januscape" and tracked as CVE-2026-53359, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD. The public proof-of-concept panics the host; the researcher claims that a separate, unreleased exploit turns the same bug into full host code execution.

Security researcher Hyunwoo Kim (@v4bel) found and reported the bug. He described Januscape as the first guest-to-host exploit triggerable on both Intel and AMD, to the best of public knowledge. The flaw went unnoticed for roughly 16 years. According to Kim, the exploit was used as a zero-day submission in Google's kvmCTF, the controlled KVM vulnerability reward program that offers up to $250,000 for full guest-to-host escapes.

How It Works

To run a virtual machine, KVM keeps its own private set of page tables that mirror the guest's memory layout. When it needs one of these tracking pages, it looks for an existing one to reuse. The problem: it matched them by memory address alone and ignored what type of tracking page it was grabbing. Two different types can share the same address but do completely different jobs, so KVM would sometimes reuse the wrong kind.

That mix-up scrambles KVM's internal records of which page belongs where, and once those records are wrong, something has to give. Most of the time, the kernel notices the mess and shuts itself down on the spot to avoid doing damage. That crash is what the public demonstration triggers: a guest can knock over the whole host, taking every other VM on that machine down with it.

The rarer, worse case happens when the freed tracking page gets handed out for another use before the kernel cleans up. The cleanup then scribbles a value into memory it no longer owns. An attacker only controls where that write lands, not what gets written, but even that limited foothold can be worked up into running code on the host. The flaw behaves the same on Intel and AMD chips; only the final, hardest step of turning it into full control takes different work on each.

Who Is Affected

The vulnerable code has been present since commit 2032a93d66fa in August 2010 (kernel 2.6.36 era) and was fixed by commit 81ccda30b4e8, merged into mainline on June 19, 2026.

The attack requires two things from the guest side:

  • Root inside the VM, a common condition on rented cloud instances
  • Nested virtualization exposed by the host

Even on hosts that run hardware EPT or NPT by default, nested virtualization forces KVM back through the legacy shadow MMU, which is where the bug sits. The exploit needs no cooperation from QEMU or any userspace VMM. It is purely an in-kernel KVM bug.

The practical concern is any x86 environment that hosts untrusted guests with nested virtualization enabled. An attacker who rents a single such instance can panic the host, taking down every other tenant VM on the same physical machine. Kim said the withheld full exploit runs code as root on the host, which would expose other guests on the same machine to that root access.

On distributions like RHEL, where /dev/kvm is world-writable (0666), Kim noted the same bug could also serve as a local privilege escalation to root, though the guest-to-host path is the higher-impact use.

A Busy Few Months for One Researcher

Januscape is Kim's third Linux kernel exploit disclosure in roughly two months:

  • May 2026: Disclosed Dirty Frag (CVE-2026-43284 / CVE-2026-43500), a page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail.
  • June 2026: Published ITScape (CVE-2026-46316), the first publicly demonstrated guest-to-host escape on KVM/arm64, exploiting a race condition in the virtual interrupt controller.
  • Now: Januscape adds the x86 side; the same trigger fires on both Intel and AMD, with the PoC carrying a separate code path for each vendor.

Google launched kvmCTF in 2024 specifically because KVM underpins both Android and Google Cloud. A separate KVM x86 shadow paging use-after-free (CVE-2026-46113) involving a related but distinct rmap mismatch was fixed in May 2026. That makes two shadow MMU use-after-frees in the same legacy code path within two months.

What to Do

The fix is a one-line addition to kvm_mmu_get_child_sp(): the reuse condition now checks role.word alongside the gfn, so a shadow page is only reused when both the frame number and the role match. KVM maintainer Paolo Bonzini wrote the patch.

Fixed stable versions shipped on July 4, 2026:

  • 7.1.3
  • 6.18.38
  • 6.12.95
  • 6.6.144
  • 6.1.177
  • 5.15.211
  • 5.10.260

NVD has not yet assigned a CVSS score; do not wait for one.

If you operate an x86 KVM host that accepts multi-tenant guests with nested virtualization, confirm that your kernel includes commit 81ccda30b4e8. Distribution backports may carry the fix under a different version number, so check the package changelog rather than relying on uname -r alone.

If you cannot patch immediately, disabling nested virtualization (kvm_intel.nested=0 or kvm_amd.nested=0) removes the attack path for untrusted guests.

ARM64 hosts are not affected by Januscape; ITScape (CVE-2026-46316) is a separate KVM/arm64 issue.

The public PoC demonstrates a reliable host panic from a guest with a loadable kernel module and seconds to minutes of racing. Treat exposed x86 KVM hosts with nested virtualization as high-priority patch targets.

Comments

No comments yet. Start the discussion.