Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
25% Recurring Discount on NVMe VPS
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)

tentortentor Member, Host Rep

This is a report on "Januscape (CVE-2026-53359)", a KVM escape
vulnerability that lets a guest escape to the host on KVM/x86,
that is, on both Intel and AMD hosts. Januscape is a use-after-free
vulnerability in the shadow MMU emulation of KVM/x86. It can trigger
the bug with guest-side actions alone to corrupt the host kernel's
shadow page, and it can threaten the guest-host isolation of KVM/x86
hosts that accept untrusted guests and expose nested virtualization,
particularly multi-tenant x86 public clouds (GCP, AWS, etc.).

Also, on distributions such as RHEL, /dev/kvm is world-writable
(0666), so an unprivileged user could also use this vulnerability as
a reliable LPE to gain root, though that is a minor impact compared
to the host escape.

In fact, Januscape was successfully used as a 0-day exploit in
Google kvmCTF.

CVE-2026-53359 was reported to [email protected] and has been
patched in mainline, and it had been latent for about 16 years:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb

For detailed information
about the vulnerability and follow-up updates, please see:
https://januscape.io

Comments

  • rpqurpqu Member

    Fuck

  • deafcondeafcon Member

    @rpqu said:
    Fuck

  • glueckselfglueckself Member
    edited 5:30PM

    at least it's not Friday...
    EDIT: and the embargo worked

    (also, you beat me to posting it)

  • works!

  • rpqurpqu Member

    Not this shit again

  • MikeAMikeA Member, Patron Provider
    edited 6:43PM

    So how does it work or when was it actually pushed to mainstream OS kernel updates for fix? I tested this on a lot of systems with AMD-V enabled with a normal virt stack and it doesn't work on any, unless some mitigations I put in place for past vulnerabilities prevents it already. I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.

  • emghemgh Member, Megathread Squad

    Anuscape

  • tentortentor Member, Host Rep

    @MikeA said:
    I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.

    Yeah, I also don't understand this yet

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @MikeA said:
    So how does it work or when was it actually pushed to mainstream OS kernel updates for fix? I tested this on a lot of systems with AMD-V enabled with a normal virt stack and it doesn't work on any, unless some mitigations I put in place for past vulnerabilities prevents it already. I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.

    Do you have KVM nesting enabled? That seems to be required.

    Francisco

    Thanked by 1tentor
  • MikeAMikeA Member, Patron Provider

    @Francisco said: Do you have KVM nesting enabled? That seems to be required.

    Yeah

  • LeviLevi Member

    So, this vuln allows to load kernel module which crashes whole node? And this is how useful for attacker? Buy VPS, exploit and crash your own server. Self-pwnage.

  • tentortentor Member, Host Rep

    @Levi said:
    So, this vuln allows to load kernel module which crashes whole node? And this is how useful for attacker? Buy VPS, exploit and crash your own server. Self-pwnage.

    PoC is just a fraction of vulnerability potential, thank god there is no PoC of code execution, but it is theoretically possible, see the detailed write up.

    Thanked by 1MikeA
  • LeviLevi Member

    @tentor said:

    @Levi said:
    So, this vuln allows to load kernel module which crashes whole node? And this is how useful for attacker? Buy VPS, exploit and crash your own server. Self-pwnage.

    PoC is just a fraction of vulnerability potential, thank god there is no PoC of code execution, but it is theoretically possible, see the detailed write up.

    Yep, I saw that. But sample shows only DoS action. No CE.

    Damn, all those freakin LLMs. Vuln was asleep for 16 (!) years. It is like a virus in North Pole - you dig glacier -> you will find a damn deadly virus strain.

  • barbarosbarbaros Member

    Hello @tentor, can I tag you?

    Thanked by 1MikeA
  • tentortentor Member, Host Rep

    @barbaros said:
    Hello @tentor, can I tag you?

    I get notifications for each post in all my threads regardless if I am being tagged or not

  • barbarosbarbaros Member

    @tentor said:

    @barbaros said:
    Hello @tentor, can I tag you?

    I get notifications for each post in all my threads regardless if I am being tagged or not

    So each time I reply to your thread, you get notification? I will bring the rest of the guys then

    Thanked by 1tentor
  • emghemgh Member, Megathread Squad

    hello tentor here comes a notification

    Thanked by 2tentor barbaros
Sign In or Register to comment.