« All posts

Januscape: 16-Year-Old Critical Linux KVM Escape, PoC Public

CVE-2026-53359 (Januscape) is a critical Linux KVM guest-to-host escape in the shadow MMU, present since 2010; a public PoC causes host kernel panic.

Researcher Hyunwoo Kim disclosed a use-after-free bug in Linux KVM's shadow MMU, present in the kernel since August 2010, tracked as CVE-2026-53359 and nicknamed Januscape. It's the first publicly documented cross-architecture KVM guest-to-host escape, working on both Intel and AMD, and it can be triggered entirely from inside a guest VM with no hypervisor or host interaction required.

Because the flaw lives in in-kernel KVM rather than QEMU's emulation layer, it also affects cloud providers running custom virtualization stacks. The currently released PoC causes a host kernel panic (DoS); a full remote-code-execution escape reportedly exists but has not been made public.

On systems like RHEL where /dev/kvm permissions are set to 0666, the same bug doubles as an unprivileged local privilege escalation to root. The issue was validated as a 0-day through Google's kvmCTF program and has been patched via commit 81ccda30b4e8, backported to kernels 6.1.177, 6.6.144, 6.12.95, 6.18.38 and 7.1.3.

Because the bug fires below the layer SIEM and EDR tools can inspect, there is no viable detection path; checking host kernel versions and applying the patch is currently the only actionable mitigation.