Januscape: 16-Year-Old UAF in KVM Shadow MMU Crashes Hosts
CVE-2026-53359 (Januscape) is a 16-year-old UAF in KVM's shadow paging code enabling guest-to-host escape; the public PoC reliably panics the host, disrupting all co-located VMs.
Disclosed by Hyunwoo Kim, Januscape (CVE-2026-53359) is a 16-year-old use-after-free bug in the Linux kernel's KVM shadow paging subsystem. The root cause is that validation only checked a page-tracking structure's guest frame number rather than its full "role," allowing a mismatched role to be reused after it was freed. Crucially, the bug is triggerable entirely through guest-side actions, requiring no separate QEMU or userspace vulnerability — a less common pattern for KVM escapes.
The trigger condition centers on nested virtualization: it forces KVM back onto the legacy shadow-MMU code path even on hosts with modern EPT/NPT hardware support, exposing the flaw. A public proof-of-concept reliably panics the host, causing an instant denial-of-service for every VM co-located on that machine. Kim also claims to have a separate, unreleased exploit achieving full host code execution as root, though this remains an unverified claim rather than confirmed publicly. ARM64 is not affected by this specific bug; a related flaw in the same bug class (ITScape, CVE-2026-46316) covers that architecture instead.
This marks Kim's third KVM/kernel disclosure in roughly two months, following Dirty Frag and ITScape, prompting community debate over whether kvmCTF's reward structure is simply surfacing a backlog of similar bugs or whether shadow-paging code is comparatively under-fuzzed versus the rest of the kernel. For teams running multi-tenant virtualization infrastructure, the combination of guaranteed host-crash DoS and a plausible full-compromise path makes reviewing nested-virtualization and shadow-MMU configurations an urgent priority.