Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
25% Recurring Discount on NVMe VPS
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)

tentortentor Member, Host Rep

This is a report on "Januscape (CVE-2026-53359)", a KVM escape
vulnerability that lets a guest escape to the host on KVM/x86,
that is, on both Intel and AMD hosts. Januscape is a use-after-free
vulnerability in the shadow MMU emulation of KVM/x86. It can trigger
the bug with guest-side actions alone to corrupt the host kernel's
shadow page, and it can threaten the guest-host isolation of KVM/x86
hosts that accept untrusted guests and expose nested virtualization,
particularly multi-tenant x86 public clouds (GCP, AWS, etc.).

Also, on distributions such as RHEL, /dev/kvm is world-writable
(0666), so an unprivileged user could also use this vulnerability as
a reliable LPE to gain root, though that is a minor impact compared
to the host escape.

In fact, Januscape was successfully used as a 0-day exploit in
Google kvmCTF.

CVE-2026-53359 was reported to [email protected] and has been
patched in mainline, and it had been latent for about 16 years:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb

For detailed information
about the vulnerability and follow-up updates, please see:
https://januscape.io

Comments

  • rpqurpqu Member

    Fuck

  • deafcondeafcon Member

    @rpqu said:
    Fuck

  • glueckselfglueckself Member
    edited 5:30PM

    at least it's not Friday...
    EDIT: and the embargo worked

    (also, you beat me to posting it)

  • works!

  • rpqurpqu Member

    Not this shit again

  • MikeAMikeA Member, Patron Provider
    edited 6:43PM

    So how does it work or when was it actually pushed to mainstream OS kernel updates for fix? I tested this on a lot of systems with AMD-V enabled with a normal virt stack and it doesn't work on any, unless some mitigations I put in place for past vulnerabilities prevents it already. I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.

  • emghemgh Member, Megathread Squad

    Anuscape

  • tentortentor Member, Host Rep

    @MikeA said:
    I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.

    Yeah, I also don't understand this yet

Sign In or Register to comment.