New Linux Flaw Lets Attackers Escape VMs

Jul 13, 2026

A 16-year-old vulnerability allows an attacker to escape a virtual machine, gain access to the host, and execute malicious code.

Security researcher Hyunwoo Kim, who goes by the name V4bel online, discovered the vulnerability and released an abstract on GitHub about it stating, "Januscape is a use-after-free vulnerability in the shadow MMU emulation of KVM/x86." Kim continues, "It can trigger the bug with guest-side actions alone to corrupt the host kernel's shadow page, and it can threaten the guest-host isolation of KVM/x86 hosts that accept untrusted guests and expose nested virtualization, particularly multi-tenant x86 public clouds (GCP, AWS, etc.)." In the abstract, Kim also demonstrates how this attack can be made via proof-of-concept to trigger a kernel panic.

Kim also claims that Januscape was the basis for the zero-day exploit in Google kvmCTF, which (according to Google) "is a vulnerability reward program designed to help identify and address vulnerabilities in the Kernel-based Virtual Machine (KVM) hypervisor. It offers a lab environment where participants can log in and utilize their exploits to obtain flags."

Januscape is the first guest-to-host exploit that can be triggered on both AMD and Intel architectures, and it could allow an attacker to do things like panic the kernel on the host and take down every tenant VM.

Another dangerous aspect of Januscape is that, on Linux distributions such as RHEL that set the /dev/kvm directory as writable by all, attackers can exploit CVE-2026-53359 and gain root privileges.
 
 

 
 
 

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News