Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems

The 16-year-old Januscape flaw affects Linux’s KVM hypervisor, allowing attackers to escape virtual machines and potentially execute code on the underlying host.

Linux

A newly disclosed Linux kernel vulnerability can be exploited to escape virtual machines (VMs) and execute code on the underlying host, security researchers warn.

Tracked as CVE-2026-53359 and referred to as Januscape, the security defect impacts the shadow MMU code in Linux Kernel-based Virtual Machine (KVM) hypervisor.

The guest-to-host vulnerability poses a major threat to multi-tenant x86 public clouds running untrusted guests and exposing nested virtualization. It is known to be the first KVM exploit that can be triggered on both Intel and AMD architectures.

The flaw was discovered by security researcher Hyunwoo Kim (@v4bel), who demonstrated it as a zero-day in Google kvmCTF, the bug bounty program that works like a CTF event and offers up to $250,000 for full VM escape weaknesses.

According to Kim, the vulnerability is a use-after-free vulnerability that can be triggered from the VM to corrupt the shadow page state of the host’s kernel.

Successful exploitation of Januscape, the researcher explains, can lead to the full compromise of the host on which the VM is running.

Advertisement. Scroll to continue reading.

“For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE),” Kim explains.

On certain Linux distributions, such as Red Hat Enterprise Linux (RHEL), the security defect can be exploited by unprivileged users to escalate their privileges to root.

Januscape’s exploitation requires root privileges on the guest machine, which is typically available by default when a user is allocated a VM instance on a public cloud. If root access is not available, an attacker could chain the flaw with a privilege escalation bug, such as Dirty Frag, Kim says.

CVE-2026-53359 stayed dormant in the Linux kernel for 16 years. It was patched in mainline on June 19, when commit 81ccda30b4e8 was merged.

Related: Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Related: ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access

Related: Organizations Warned of Exploited Linux Kernel Vulnerability

Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.