All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)
This is a report on "Januscape (CVE-2026-53359)", a KVM escape
vulnerability that lets a guest escape to the host on KVM/x86,
that is, on both Intel and AMD hosts. Januscape is a use-after-free
vulnerability in the shadow MMU emulation of KVM/x86. It can trigger
the bug with guest-side actions alone to corrupt the host kernel's
shadow page, and it can threaten the guest-host isolation of KVM/x86
hosts that accept untrusted guests and expose nested virtualization,
particularly multi-tenant x86 public clouds (GCP, AWS, etc.).Also, on distributions such as RHEL, /dev/kvm is world-writable
(0666), so an unprivileged user could also use this vulnerability as
a reliable LPE to gain root, though that is a minor impact compared
to the host escape.In fact, Januscape was successfully used as a 0-day exploit in
Google kvmCTF.CVE-2026-53359 was reported to [email protected] and has been
patched in mainline, and it had been latent for about 16 years:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81ccda30b4e83d8f5cc4fd50503c44e3a33abfebFor detailed information
about the vulnerability and follow-up updates, please see:
https://januscape.io


Comments
Fuck
at least it's not Friday...
EDIT: and the embargo worked
(also, you beat me to posting it)
works!
Not this shit again
So how does it work or when was it actually pushed to mainstream OS kernel updates for fix? I tested this on a lot of systems with AMD-V enabled with a normal virt stack and it doesn't work on any, unless some mitigations I put in place for past vulnerabilities prevents it already. I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.
Anuscape
Yeah, I also don't understand this yet
Do you have KVM nesting enabled? That seems to be required.
Francisco
Yeah
So, this vuln allows to load kernel module which crashes whole node? And this is how useful for attacker? Buy VPS, exploit and crash your own server. Self-pwnage.
PoC is just a fraction of vulnerability potential, thank god there is no PoC of code execution, but it is theoretically possible, see the detailed write up.
Yep, I saw that. But sample shows only DoS action. No CE.
Damn, all those freakin LLMs. Vuln was asleep for 16 (!) years. It is like a virus in North Pole - you dig glacier -> you will find a damn deadly virus strain.
Hello @tentor, can I tag you?
I get notifications for each post in all my threads regardless if I am being tagged or not
So each time I reply to your thread, you get notification? I will bring the rest of the guys then
hello tentor here comes a notification
Frankly, I'm under the impression that anyone expecting security on today's complex, bloated and largely following the bazaar model systems should make a psychiatrist appointment.
Realistic goal: always try to make your system not even less secure and safe!