16-year-old KVM flaw lets a guest VM crash or escape to the Linux host
A use-after-free flaw in Linux's KVM hypervisor, nicknamed Januscape and hidden in the code for about 16 years, lets a virtual machine attack the physical host it runs on. Tracked as CVE-2026-53359, it sits in the shadow memory code that KVM uses on both Intel and AMD systems when nested virtualization is enabled. From inside a guest with root, an attacker can corrupt host kernel memory: the public proof-of-concept crashes the entire host, taking down every other tenant on that machine, and the researcher says a private exploit can run code as root on the host. The fix reached mainline Linux in June, and distributions are shipping updated kernels now.
- Check
- Identify x86 KVM hosts running untrusted or multi-tenant guests with nested virtualization enabled, check kernel versions against the Januscape fix, and confirm /dev/kvm is not world-writable on shared systems.
- Affected
- x86 KVM hosts on unpatched kernels with nested virtualization enabled (CVE-2026-53359), on both Intel and AMD; a guest with root can crash the host or potentially escape to run code on it.
- Fix
- Apply the updated kernels from your distribution as they ship. If you cannot patch immediately, disable nested virtualization with kvm_intel.nested=0 or kvm_amd.nested=0 to remove the attack path for untrusted guests.