HeadlinesBriefing favicon HeadlinesBriefing.com

Januscape Exposes KVM to Guest-to-Host Escapes

Hacker News •
×

Januscape (CVE-2026-53359) is a KVM escape first disclosed by Hyunwoo Kim. The flaw is a use‑after‑free in the shadow MMU emulation layer of KVM/x86 and can be triggered solely from guest‑side actions on both Intel and AMD CPUs, making it the first cross‑architecture guest‑to‑host vulnerability of its kind.

The bug corrupts the host kernel’s shadow page table, leading to kernel panics or arbitrary code execution. Public cloud tenants on GCP, AWS, and other x86 hosts that enable nested virtualization are directly affected. In a 0‑day use, Google’s kvm CT F was successfully leveraged, underscoring the practical threat to multi‑tenant environments.

On distributions such as RHEL, the world‑writable /dev/kvm (0666) turns the flaw into a reliable local privilege escalation, allowing an unprivileged user to gain root if the host kernel is unpatched. The vulnerability has been dormant for roughly 16 years, from 2010‑08‑01 to 2026‑06‑16.

Operators should apply the kernel patch identified by commit 81ccda30b4e8, disable nested virtualization where feasible, and audit /dev/kvm permissions. Arm64 hosts are not affected, but unpatched ITScape (CVE-2026-46316) still poses a risk.