Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
25% Recurring Discount on NVMe VPS
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)

tentortentor Member, Host Rep

This is a report on "Januscape (CVE-2026-53359)", a KVM escape
vulnerability that lets a guest escape to the host on KVM/x86,
that is, on both Intel and AMD hosts. Januscape is a use-after-free
vulnerability in the shadow MMU emulation of KVM/x86. It can trigger
the bug with guest-side actions alone to corrupt the host kernel's
shadow page, and it can threaten the guest-host isolation of KVM/x86
hosts that accept untrusted guests and expose nested virtualization,
particularly multi-tenant x86 public clouds (GCP, AWS, etc.).

Also, on distributions such as RHEL, /dev/kvm is world-writable
(0666), so an unprivileged user could also use this vulnerability as
a reliable LPE to gain root, though that is a minor impact compared
to the host escape.

In fact, Januscape was successfully used as a 0-day exploit in
Google kvmCTF.

CVE-2026-53359 was reported to [email protected] and has been
patched in mainline, and it had been latent for about 16 years:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb

For detailed information
about the vulnerability and follow-up updates, please see:
https://januscape.io

Comments

  • rpqurpqu Member

    Fuck

  • deafcondeafcon Member

    @rpqu said:
    Fuck

  • glueckselfglueckself Member
    edited 5:30PM

    at least it's not Friday...
    EDIT: and the embargo worked

    (also, you beat me to posting it)

  • works!

  • rpqurpqu Member

    Not this shit again

  • MikeAMikeA Member, Patron Provider
    edited 6:43PM

    So how does it work or when was it actually pushed to mainstream OS kernel updates for fix? I tested this on a lot of systems with AMD-V enabled with a normal virt stack and it doesn't work on any, unless some mitigations I put in place for past vulnerabilities prevents it already. I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.

  • emghemgh Member, Megathread Squad

    Anuscape

    Thanked by 2sillycat nghialele
  • tentortentor Member, Host Rep

    @MikeA said:
    I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.

    Yeah, I also don't understand this yet

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @MikeA said:
    So how does it work or when was it actually pushed to mainstream OS kernel updates for fix? I tested this on a lot of systems with AMD-V enabled with a normal virt stack and it doesn't work on any, unless some mitigations I put in place for past vulnerabilities prevents it already. I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.

    Do you have KVM nesting enabled? That seems to be required.

    Francisco

    Thanked by 1tentor
  • MikeAMikeA Member, Patron Provider

    @Francisco said: Do you have KVM nesting enabled? That seems to be required.

    Yeah

  • LeviLevi Member

    So, this vuln allows to load kernel module which crashes whole node? And this is how useful for attacker? Buy VPS, exploit and crash your own server. Self-pwnage.

  • tentortentor Member, Host Rep

    @Levi said:
    So, this vuln allows to load kernel module which crashes whole node? And this is how useful for attacker? Buy VPS, exploit and crash your own server. Self-pwnage.

    PoC is just a fraction of vulnerability potential, thank god there is no PoC of code execution, but it is theoretically possible, see the detailed write up.

  • LeviLevi Member

    @tentor said:

    @Levi said:
    So, this vuln allows to load kernel module which crashes whole node? And this is how useful for attacker? Buy VPS, exploit and crash your own server. Self-pwnage.

    PoC is just a fraction of vulnerability potential, thank god there is no PoC of code execution, but it is theoretically possible, see the detailed write up.

    Yep, I saw that. But sample shows only DoS action. No CE.

    Damn, all those freakin LLMs. Vuln was asleep for 16 (!) years. It is like a virus in North Pole - you dig glacier -> you will find a damn deadly virus strain.

  • barbarosbarbaros Member

    Hello @tentor, can I tag you?

    Thanked by 1MikeA
  • tentortentor Member, Host Rep

    @barbaros said:
    Hello @tentor, can I tag you?

    I get notifications for each post in all my threads regardless if I am being tagged or not

  • barbarosbarbaros Member

    @tentor said:

    @barbaros said:
    Hello @tentor, can I tag you?

    I get notifications for each post in all my threads regardless if I am being tagged or not

    So each time I reply to your thread, you get notification? I will bring the rest of the guys then

    Thanked by 1tentor
  • emghemgh Member, Megathread Squad

    hello tentor here comes a notification

  • NeoonNeoon Community Contributor, Veteran

  • jsgjsg Member, Resident Benchmarker

    Frankly, I'm under the impression that anyone expecting security on today's complex, bloated and largely following the bazaar model systems should make a psychiatrist appointment.

    Realistic goal: always try to make your system not even less secure and safe!

  • JohnFilch123JohnFilch123 Member
    edited 10:04PM

    Somewhat relevant.

    Greg Kroah-Hartman, responsible for maintaining stable and "staging" branches of the Linux kernel reported, that in the first 6 months of 2026, 2,308 vulnerabilities were identified in the Linux kernel and assigned separate CVE identifiers. Thus, the Linux kernel rose from second to first place in the number of assigned CVE identifiers among software manufacturers. Such an indicator is not objective, since most manufacturers assign CVE identifiers only to dangerous vulnerabilities, while in the Linux kernel taken into account all potential vulnerabilities, regardless of the severity.

    Number of CVEs assigned by manufacturer:

    2308 "Linux"
    1752 Google
    1308 "n/a"
    843 Microsoft
    495 "OpenClaw",
    445 Oracle Corporation
    395 "Adobe"
    340 "Red Hat"
    310 Apache Software Foundation
    284 "Apple"
    The number of CVEs assigned, grouped by individual product:

    2309 "Linux"
    1584 Chrome
    888 "n/a"
    497 "OpenClaw"
    284 "Windows 10 Version 1607"
    255 "Firefox" (Firefox can aggregate information about hundreds of vulnerabilities under one CVE, for example, CVE-2026-6785 contains 155 vulnerabilities, and CVE-2026-6786 contains 110).
    153 "Android"
    141 "AVideo"
    136 "Red Hat Enterprise Linux 10"
    124 "iOS and iPadOS"

  • blu1337blu1337 Member

    @MikeA said:
    So how does it work or when was it actually pushed to mainstream OS kernel updates for fix? I tested this on a lot of systems with AMD-V enabled with a normal virt stack and it doesn't work on any, unless some mitigations I put in place for past vulnerabilities prevents it already. I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.

    Latest kernel is fixed, also, after loading the module it will take a while to kick in, but it will crash the whole node eventually.

  • forestforest Member

    @JohnFilch123 said:
    Somewhat relevant.

    Greg Kroah-Hartman, responsible for maintaining stable and "staging" branches of the Linux kernel reported, that in the first 6 months of 2026, 2,308 vulnerabilities were identified in the Linux kernel and assigned separate CVE identifiers. Thus, the Linux kernel rose from second to first place in the number of assigned CVE identifiers among software manufacturers. Such an indicator is not objective, since most manufacturers assign CVE identifiers only to dangerous vulnerabilities, while in the Linux kernel taken into account all potential vulnerabilities, regardless of the severity.

    Number of CVEs assigned by manufacturer:

    2308 "Linux"
    1752 Google
    1308 "n/a"
    843 Microsoft
    495 "OpenClaw",
    445 Oracle Corporation
    395 "Adobe"
    340 "Red Hat"
    310 Apache Software Foundation
    284 "Apple"
    The number of CVEs assigned, grouped by individual product:

    2309 "Linux"
    1584 Chrome
    888 "n/a"
    497 "OpenClaw"
    284 "Windows 10 Version 1607"
    255 "Firefox" (Firefox can aggregate information about hundreds of vulnerabilities under one CVE, for example, CVE-2026-6785 contains 155 vulnerabilities, and CVE-2026-6786 contains 110).
    153 "Android"
    141 "AVideo"
    136 "Red Hat Enterprise Linux 10"
    124 "iOS and iPadOS"

    The vast majority of Linux CVEs are for small obscure drivers or network protocols or custom kernel configurations that no one here would be using. Severe vulnerabilities that affect even default distro configs the way most of us care about are far more rare (but still uncomfortably common).

    Thanked by 1JohnFilch123
  • edited 10:51PM

    @JohnFilch123 said:
    Somewhat relevant.

    Greg Kroah-Hartman, responsible for maintaining stable and "staging" branches of the Linux kernel reported, that in the first 6 months of 2026, 2,308 vulnerabilities were identified in the Linux kernel and assigned separate CVE identifiers. Thus, the Linux kernel rose from second to first place in the number of assigned CVE identifiers among software manufacturers. Such an indicator is not objective, since most manufacturers assign CVE identifiers only to dangerous vulnerabilities, while in the Linux kernel taken into account all potential vulnerabilities, regardless of the severity.

    Number of CVEs assigned by manufacturer:

    2308 "Linux"
    1752 Google
    1308 "n/a"
    843 Microsoft
    495 "OpenClaw",
    445 Oracle Corporation
    395 "Adobe"
    340 "Red Hat"
    310 Apache Software Foundation
    284 "Apple"
    The number of CVEs assigned, grouped by individual product:

    2309 "Linux"
    1584 Chrome
    888 "n/a"
    497 "OpenClaw"
    284 "Windows 10 Version 1607"
    255 "Firefox" (Firefox can aggregate information about hundreds of vulnerabilities under one CVE, for example, CVE-2026-6785 contains 155 vulnerabilities, and CVE-2026-6786 contains 110).
    153 "Android"
    141 "AVideo"
    136 "Red Hat Enterprise Linux 10"
    124 "iOS and iPadOS"

    Those charts are also kinda nonsense as they just throw a bunch of apples and oranges together.

    • Linux vs. Microsoft (an open source kernel vs. the developer of a ton of different close source software)
    • Linux vs. Google (basically an open source kernel vs. Chrome and a bunch of webapps with closed backends)
    • Linux vs. Windows (an open source kernel vs. a closed source OS)
    • Linux vs. AVideo (an open source kernel vs. wtf is AVideo)
    • Linux vs. Chrome (an open source kernel vs. an open source Browser - totally different beasts)
    • Linux vs Adobe (an open source kernel vs. again a developer of largely closed source software)
    • ...

    I'm not even saying that those weird comparisons would necessarily somehow put Linux at a disadvantage. It's just that they don't say a whole lot of anything.

  • forestforest Member
    edited 10:56PM

    @totally_not_banned said: I'm not even saying that those weird comparisons would necessarily somehow put Linux at a disadvantage. It's just that they don't say a whole lot of anything.

    And the fact that the CNA is going to be responsible for how many bugs are classified as CVEs. It used to be that Linux barely got any CVEs because they weren't their own CNA, but now they are and they're accepting a lot more reports.

    Number of CVEs is a useless measure of security and doesn't even correspond to number of reported vulnerabilities, much less to number of extant vulnerabilities or general security. And not only because bigger codebases get more eyes and more eyes means more discovered bugs, but because there are simply too many layers of indirection between "vulnerable code is discovered" and "MITRE publishes a CVE", and some of those layers are affected by the subjective opinions of people.

    Thanked by 1totally_not_banned
  • stefemanstefeman Member

    Proof of concept test script

    https://github.com/V4bel/Januscape

Sign In or Register to comment.