« All posts

Google Pays $250K for 16-Year-Old Linux KVM Escape Flaw

Dubbed Januscape, a Linux KVM flaw lets guest VMs break out and hijack the host. Google awarded the discovering researcher a $250,000 bug bounty.

Security researcher Hyunwoo Kim discovered a Linux KVM flaw, tracked as CVE-2026-53359, that had gone unnoticed in the kernel for 16 years. Dubbed Januscape, the bug affects systems running on both AMD and Intel CPUs and lets an attacker take over the host machine using only guest-side actions inside a virtual machine—meaning a single rented cloud instance could be used to compromise every other tenant sharing the same physical server.

The root cause is a use-after-free bug in the shadow MMU emulation, the component responsible for translating memory addresses between host and hypervisor. Exploiting it can crash the host kernel (denial of service) or grant root-level code execution on the host, effectively handing over control of every guest VM running on it. Kim released a proof-of-concept that triggers a host crash but is withholding the full VM-escape exploit for now.

Given the severity and scope of the flaw across multi-tenant cloud infrastructure, Google rewarded the discovery with a $250,000 bug bounty, underscoring how much cloud isolation depends on the integrity of KVM's virtualization stack.