Google pays $250K for Linux vulnerability permitting visitor VM escapes

A Linux vulnerability that permits untrusted digital machines to realize root entry to host machines is certainly one of two high-severity flaws to floor this week within the open supply working system.
The vulnerability resides in KVM, which is, in essence, a digital machine app included within the kernel of many Linux distributions. The vulnerability, tracked as CVE-2026-53359, permits visitor digital machines—comparable to these utilized in cloud platforms to isolate one person’s occasion from the host OS and different person situations—to interrupt out of that container.
Januscape: A risk to cloud platforms
The vulnerability impacts KVM working on each AMD and Intel processors. It exploits bugs residing within the KVM guest-side, the portion of the VM that consists of solely sources just like the OS or drivers current within the visitor VM, moderately than sources current on the host machine. The risk went unnoticed within the Linux kernel for 16 years.
“With guest-side actions alone, an attacker can compromise the host that runs their VM,” Hyunwoo Kim, the researcher who found the flaw, wrote. “For instance, an attacker who has rented only a single occasion on a public cloud may panic the host kernel to take down each different tenant VM on the identical bodily machine (DoS), or run code with root privilege on the host to take over the host and all of the visitors on it (RCE).”
Kim has named the vulnerability Januscape. The flaw is a use-after-free vulnerability—a type of reminiscence corruption vulnerability that injects malicious code into not too long ago freed areas of reminiscence. The vulnerability resides within the shadow MMU emulation, a course of that interprets host reminiscence addresses to hypervisor reminiscence addresses and vice versa.
Exploits will set off guest-side actions alone to deprave the host kernel’s shadow web page, an information construction within the host that assists within the deal with translation. Kim has launched a proof-of-concept exploit that runs within the visitor VM to set off a crash on the host OS. He mentioned an exploit that totally escapes the visitor additionally exists however received’t be launched till “the very distant future.”
