All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)
This is a report on "Januscape (CVE-2026-53359)", a KVM escape
vulnerability that lets a guest escape to the host on KVM/x86,
that is, on both Intel and AMD hosts. Januscape is a use-after-free
vulnerability in the shadow MMU emulation of KVM/x86. It can trigger
the bug with guest-side actions alone to corrupt the host kernel's
shadow page, and it can threaten the guest-host isolation of KVM/x86
hosts that accept untrusted guests and expose nested virtualization,
particularly multi-tenant x86 public clouds (GCP, AWS, etc.).Also, on distributions such as RHEL, /dev/kvm is world-writable
(0666), so an unprivileged user could also use this vulnerability as
a reliable LPE to gain root, though that is a minor impact compared
to the host escape.In fact, Januscape was successfully used as a 0-day exploit in
Google kvmCTF.CVE-2026-53359 was reported to [email protected] and has been
patched in mainline, and it had been latent for about 16 years:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81ccda30b4e83d8f5cc4fd50503c44e3a33abfebFor detailed information
about the vulnerability and follow-up updates, please see:
https://januscape.io


Comments
Fuck
at least it's not Friday...
EDIT: and the embargo worked
(also, you beat me to posting it)
works!
Not this shit again
So how does it work or when was it actually pushed to mainstream OS kernel updates for fix? I tested this on a lot of systems with AMD-V enabled with a normal virt stack and it doesn't work on any, unless some mitigations I put in place for past vulnerabilities prevents it already. I also checked latest patch notes for Almalinux stable kernel and it doesn't mention this CVE.
Anuscape
Yeah, I also don't understand this yet
Do you have KVM nesting enabled? That seems to be required.
Francisco
Yeah
So, this vuln allows to load kernel module which crashes whole node? And this is how useful for attacker? Buy VPS, exploit and crash your own server. Self-pwnage.
PoC is just a fraction of vulnerability potential, thank god there is no PoC of code execution, but it is theoretically possible, see the detailed write up.
Yep, I saw that. But sample shows only DoS action. No CE.
Damn, all those freakin LLMs. Vuln was asleep for 16 (!) years. It is like a virus in North Pole - you dig glacier -> you will find a damn deadly virus strain.
Hello @tentor, can I tag you?
I get notifications for each post in all my threads regardless if I am being tagged or not
So each time I reply to your thread, you get notification? I will bring the rest of the guys then
hello tentor here comes a notification
Frankly, I'm under the impression that anyone expecting security on today's complex, bloated and largely following the bazaar model systems should make a psychiatrist appointment.
Realistic goal: always try to make your system not even less secure and safe!
Somewhat relevant.
Greg Kroah-Hartman, responsible for maintaining stable and "staging" branches of the Linux kernel reported, that in the first 6 months of 2026, 2,308 vulnerabilities were identified in the Linux kernel and assigned separate CVE identifiers. Thus, the Linux kernel rose from second to first place in the number of assigned CVE identifiers among software manufacturers. Such an indicator is not objective, since most manufacturers assign CVE identifiers only to dangerous vulnerabilities, while in the Linux kernel taken into account all potential vulnerabilities, regardless of the severity.
Number of CVEs assigned by manufacturer:
2308 "Linux"
1752 Google
1308 "n/a"
843 Microsoft
495 "OpenClaw",
445 Oracle Corporation
395 "Adobe"
340 "Red Hat"
310 Apache Software Foundation
284 "Apple"
The number of CVEs assigned, grouped by individual product:
2309 "Linux"
1584 Chrome
888 "n/a"
497 "OpenClaw"
284 "Windows 10 Version 1607"
255 "Firefox" (Firefox can aggregate information about hundreds of vulnerabilities under one CVE, for example, CVE-2026-6785 contains 155 vulnerabilities, and CVE-2026-6786 contains 110).
153 "Android"
141 "AVideo"
136 "Red Hat Enterprise Linux 10"
124 "iOS and iPadOS"
Latest kernel is fixed, also, after loading the module it will take a while to kick in, but it will crash the whole node eventually.
The vast majority of Linux CVEs are for small obscure drivers or network protocols or custom kernel configurations that no one here would be using. Severe vulnerabilities that affect even default distro configs the way most of us care about are far more rare (but still uncomfortably common).
Those charts are also kinda nonsense as they just throw a bunch of apples and oranges together.
I'm not even saying that those weird comparisons would necessarily somehow put Linux at a disadvantage. It's just that they don't say a whole lot of anything.
And the fact that the CNA is going to be responsible for how many bugs are classified as CVEs. It used to be that Linux barely got any CVEs because they weren't their own CNA, but now they are and they're accepting a lot more reports.
Number of CVEs is a useless measure of security and doesn't even correspond to number of reported vulnerabilities, much less to number of extant vulnerabilities or general security. And not only because bigger codebases get more eyes and more eyes means more discovered bugs, but because there are simply too many layers of indirection between "vulnerable code is discovered" and "MITRE publishes a CVE", and some of those layers are affected by the subjective opinions of people.
Proof of concept test script
https://github.com/V4bel/Januscape