Januscape: 16-Year-Old Linux KVM Flaw Enables Guest-to-Host VM Escape

A use-after-free in Linux KVM's shadow paging code, dormant since 2010, lets a guest VM corrupt host kernel memory and potentially escape to the machine underneath. CVE-2026-53359, dubbed Januscape, hits Intel and AMD hosts alike and is the second such bug in the same code path this year.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region6 min read
Server racks in a data centre representing the shared infrastructure exposed by the Linux KVM hypervisor vulnerability.

Server racks in a data centre representing the shared infrastructure exposed by the Linux KVM hypervisor vulnerability.

Cloud computing runs on one basic guarantee: a rented virtual machine cannot reach the physical host underneath it, or the neighbouring tenants sharing that host. A Linux kernel flaw that sat unnoticed for sixteen years has now put a real crack in that guarantee, and the deeper technical picture that has emerged over the past few days makes the case for patching quickly rather than urgently.

The bug, tracked as CVE-2026-53359 and named Januscape by the researcher who found it, Hyunwoo Kim, lives in KVM's shadow paging code, the software layer the hypervisor falls back on whenever nested virtualisation is switched on. Modern Intel and AMD chips normally handle guest memory translation in hardware through EPT and NPT. The moment a guest is allowed to run its own guest inside it, the host has to shadow that second layer of page tables itself, in software, and this is the code path where the flaw sits.

KVM tracks each of these shadow pages with a small internal structure that records two things: which guest memory frame it represents, and its role, essentially whether it is a large, direct mapping or a proper multi-level shadow of the guest's own page tables. When KVM needs a shadow page for a given address, it checks whether it can reuse one already sitting in memory rather than building a new one. The function that makes that call, kvm_mmu_get_child_sp, only ever compared the memory frame number. It never checked the role. Two structurally different shadow pages can legitimately share the same frame number while serving completely different purposes, and when that happened, KVM could hand back the wrong one.

That mismatch corrupts KVM's internal bookkeeping of which shadow page belongs where. Most of the time, the kernel catches the inconsistency and shuts itself down immediately as a safety measure, which is exactly what the public proof-of-concept code does: a single guest VM can panic the entire host, taking every other tenant's VM on that machine down with it as a denial of service. The rarer and more serious outcome happens if a freed tracking structure gets reassigned before cleanup runs. The cleanup routine then writes into memory it no longer owns. An attacker cannot choose what gets written, only where, but Kim says that limited primitive is enough, with considerable additional work, to be turned into code execution on the host itself. That fuller exploit has not been released.

This is not the first time this exact area of KVM has produced a bug. In May, a related flaw, CVE-2026-46113, was fixed after it was found through fuzzing by researchers at a major cloud provider. That fix added a check comparing the guest frame number before reuse, closing off the case where a shadow page was a leaf entry. What it did not cover was the case where the modified mapping pointed to a non-leaf page instead. An attacker could arrange things so the frame number lined up perfectly, sailing straight through the new check, while the role silently did not. That is precisely the gap Januscape exploits, discovered roughly two months after the first fix shipped.

Reaching that state on the guest side requires two conditions. The attacker needs root privileges inside the virtual machine, which is the default state of things on most rented cloud instances rather than a privilege that needs to be separately earned. And the host needs nested virtualisation enabled and reachable by that guest, a setting many providers do not turn on by default, but one that is common wherever customers or internal teams need to run their own hypervisors on top of a rented one. The exploit needs no cooperation from QEMU or any other userspace virtual machine manager. It is a purely in-kernel KVM issue, so it threatens any x86 environment built on KVM directly, not only QEMU-based deployments.

Kim reported the bug through Google's kvmCTF programme, the controlled vulnerability reward scheme Google runs specifically because KVM underpins both Android and large parts of Google Cloud, which pays up to $250,000 for a demonstrated full guest-to-host escape. Januscape is his third Linux kernel disclosure in roughly two months, following Dirty Frag in May and ITScape, a separate guest-to-host escape affecting KVM on arm64, in June. Arm64 hosts are not affected by Januscape itself. One detail worth noting from the KVM maintainer team: unlike the two earlier bugs in this trilogy, which were caught through conventional fuzzing, Januscape was reportedly surfaced with the help of AI-assisted code analysis, a sign that legacy code paths carrying years of untouched risk may start surfacing more often as that kind of tooling improves.

The fix itself is small. The reuse check in kvm_mmu_get_child_sp now compares the page's role alongside its frame number, so a shadow page is only handed back when both actually match. KVM maintainer Paolo Bonzini wrote the patch, which merged into mainline on 19 June and reached stable kernel releases on 4 July, across versions 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, and 5.10.260. Distribution rollout is uneven. Debian shipped fixes for its testing and unstable branches within a day of the embargo lifting, with its stable and oldstable branches still pending at time of writing. SUSE has rated the issue important and has updates in QA. Red Hat's downstream advisory assigned a CVSS base score of 7.0. AlmaLinux pushed testing kernels ahead of its usual schedule given the severity. Distribution version numbers rarely match the upstream release, so checking a changelog for the actual fix commit is more reliable than checking a kernel version alone.

There is also a secondary, narrower risk. On distributions where the /dev/kvm device is left world-writable, an unprivileged local user could use the same bug for local privilege escalation without ever touching a guest VM, though this is a smaller concern than the guest-to-host path and is easily closed by tightening device permissions.

For infrastructure teams, the practical checklist has not changed with these new details, but the reasoning behind it is now clearer. Patch affected hosts, confirming the fix commit rather than relying on version numbers. Where nested virtualisation is not a genuine business requirement, disable it, which removes the vulnerable code path entirely for untrusted guests. Audit who can spin up guests with nesting enabled, since that is the real exposure surface on shared infrastructure. Restrict /dev/kvm to trusted users where it is left open. And do not assume that patching May's related bug, or June's arm64 escape, covers this one. All three are distinct vulnerabilities in adjacent code, and each needed its own fix.

The pattern across all three disclosures is the more durable lesson here, closely related to a cloud infrastructure breach GCC enterprises have already had reason to study this year, when the European Commission's AWS environment was compromised and hundreds of gigabytes of data were exposed. Components that run untouched for years have usually just gone unexamined, not proven safe, and that is exactly the kind of anomaly that ongoing managed detection and response is built to catch before it escalates, rather than after.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Cloud Infrastructure SecurityThreat IntelligenceVulnerability ManagementLinux Kernel Security