Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
25% Recurring Discount on NVMe VPS
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
CloudLinux
Shells Virtual Desktop
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)

2»

Comments

  • If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

  • MikeAMikeA Member, Patron Provider

    @glueckself said:
    If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

    lol… we need something like kernelcare specifically for CVE patches that’s open source and not a monthly subscription cost, and supports all distros not just some..

  • @MikeA said:

    @glueckself said:
    If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

    lol… we need something like kernelcare specifically for CVE patches that’s open source and not a monthly subscription cost, and supports all distros not just some..

    Well, there is /dev/mem, so any reboot is just the operator/admin lacking skills :D

  • forestforest Member

    @glueckself said:
    If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

    Not an issue for Debian stable (6.12), so probably not an issue for Proxmox.

  • @forest said:

    @glueckself said:
    If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

    Not an issue for Debian stable (6.12), so probably not an issue for Proxmox.

    No, Proxmox uses a Kernel independent from Debian, only the Userspace is Debian-based.
    The PVE Kernel is Ubuntu based, with their own patches (see their git repo).

  • forestforest Member

    @glueckself said:

    @forest said:

    @glueckself said:
    If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

    Not an issue for Debian stable (6.12), so probably not an issue for Proxmox.

    No, Proxmox uses a Kernel independent from Debian, only the Userspace is Debian-based.
    The PVE Kernel is Ubuntu based, with their own patches (see their git repo).

    I assumed it would still be based on an LTS.

  • glueckselfglueckself Member
    edited July 9

    @forest said:

    @glueckself said:

    @forest said:

    @glueckself said:
    If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

    Not an issue for Debian stable (6.12), so probably not an issue for Proxmox.

    No, Proxmox uses a Kernel independent from Debian, only the Userspace is Debian-based.
    The PVE Kernel is Ubuntu based, with their own patches (see their git repo).

    I assumed it would still be based on an LTS.

    IIRC, Proxmox bases their kernel on the latest stable Ubuntu kernel (not LTS), at least for the non-enterprise repo.

    Ubuntu 26.04 fixed GhostLock, which isn't mentioned in the PVE Security Announcements, but Ubuntu is vulnerable to Bad-Epoll which PVE has already fixed.

    EDIT: added links

    Thanked by 2forest oloke
  • stable_geniusstable_genius Member
    edited July 9

    @emgh said:
    Anuscape

    Unfortunately if you patch Anuscape the whole system will lose its function,

    Anuscape is unpatchabale.

  • host_chost_c Patron Provider, Top Host, Megathread Squad

    @rpqu said:
    Fuck

    Thanked by 1rpqu
  • @jsg said:
    Frankly, I'm under the impression that anyone expecting security on today's complex, bloated and largely following the bazaar model systems should make a psychiatrist appointment.

    Realistic goal: always try to make your system not even less secure and safe!

    You just said all that matters on this subject, no need to say more.

    Thanked by 1jsg
  • @TimboJones said:
    Januscape sounds like marketing for a vacation getaway in January.

    huh?

  • @MikeA said:

    @glueckself said:
    If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

    lol… we need something like kernelcare specifically for CVE patches that’s open source and not a monthly subscription cost, and supports all distros not just some..

    Who pays for the QA?

  • MikeAMikeA Member, Patron Provider

    @TimboJones said:

    @MikeA said:

    @glueckself said:
    If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

    lol… we need something like kernelcare specifically for CVE patches that’s open source and not a monthly subscription cost, and supports all distros not just some..

    Who pays for the QA?

    Haven't thought that far yet.

    Thanked by 2rsk host_c
  • NeoonNeoon Community Contributor, Veteran

    https://stats.neoon.net/#sort=desc:4

    So many providers didn't reboot.
    Please don't tell me they do live migration.

    Which would mean, LET is premium now? Or is this data rigged?

  • tentortentor Member, Host Rep

    @Neoon said:
    https://stats.neoon.net/#sort=desc:4

    So many providers didn't reboot.
    Please don't tell me they do live migration.

    Which would mean, LET is premium now? Or is this data rigged?

    I can confirm that Skhron patched fully as of 11:00 UTC today, mitigation was applied for all new guests in Sweden since this vuln was announced, and Poland had nested virt disabled since forever.

    Thanked by 1oloke
  • rdesrdes Member

    @Neoon said:
    https://stats.neoon.net/#sort=desc:4

    So many providers didn't reboot.
    Please don't tell me they do live migration.

    Which would mean, LET is premium now? Or is this data rigged?

    Kernelcare costs 2$ in bulk, not so premium.
    BTW. Im really baffled that OVH is rebooting all hypervisors (they taliking about 100k psychical machines) instead of deploying some kind of live patch system

  • layer7layer7 Member, Host Rep, LIR

    @glueckself said:
    If you haven't rebooted enough, there is GhostLock (CVE-2026-43499, https://www.openwall.com/lists/oss-security/2026/07/08/12). Proxmox doesn't mention it in their security announcements forum yet, so I guess it's still vulnerable in 7.0.14-4.

    Hi,

    according to

    https://forum.proxmox.com/threads/cve-2026-43499-ghostlock.184937/

    was already patched before...

    Thanked by 1glueckself
  • MannDudeMannDude Patron Provider, Veteran

    @Neoon said:
    https://stats.neoon.net/#sort=desc:4

    So many providers didn't reboot.
    Please don't tell me they do live migration.

    Which would mean, LET is premium now? Or is this data rigged?

    Some might do live migration.

    @rdes said:

    @Neoon said:
    https://stats.neoon.net/#sort=desc:4

    So many providers didn't reboot.
    Please don't tell me they do live migration.

    Which would mean, LET is premium now? Or is this data rigged?

    Kernelcare costs 2$ in bulk, not so premium.
    BTW. Im really baffled that OVH is rebooting all hypervisors (they taliking about 100k psychical machines) instead of deploying some kind of live patch system

    Honestly, not bad. How quick are they to actual provide patches though to critical CVEs? Faster than someone posting on X about a major exploit and some roundabout way to protect yourself from it in the meantime?

    $2/mo is nothing when most of us are already paying $18/mo~ or so for individual hypervisor licensing (VirtFusion) and running larger, dense hypervisors.

    If kernelcare doesn't have some insane invasive privacy concerns and they're actually quick to provide patches to critical stuff I'll go ahead and deploy it across the fleet. Never thought much of it before but nowadays it'll pay for itself the first time something like this happens and I don't have to spend a day or two patching stuff and being in a minor state of panic when some things don't come back up as expected (Woops, had a few hypervisors that didn't want to come back as easily as others causing extended downtimes).

  • MannDudeMannDude Patron Provider, Veteran

    Wait, am I correct in understanding KernelCare hasn't even patched for this yet?

    Most of our stuff is Debian 12 or Debian 13, but selecting some Alma options too:

    https://patches.kernelcare.com/?type=kernel&distro=debian13,debian12,almalinux10,almalinux8,almalinux9,almalinux9.6-esu&cve

    Doesn't look like they have patched for it yet. So, whats the point then, I guess?

  • tentortentor Member, Host Rep

    @MannDude said:
    Wait, am I correct in understanding KernelCare hasn't even patched for this yet?

    They did for AlmaLinux 9 for sure.

  • MannDudeMannDude Patron Provider, Veteran

    @tentor said:

    @MannDude said:
    Wait, am I correct in understanding KernelCare hasn't even patched for this yet?

    They did for AlmaLinux 9 for sure.

    Ah, the search/sort function isn't all that great. Searching for "2026-53359" or "CVE-2026-53359" doesn't bring up anything but if you hover over specific releases without specifying it specifically, you may see it mentioned. Good to know.

  • tentortentor Member, Host Rep

    @MannDude said:

    @tentor said:

    @MannDude said:
    Wait, am I correct in understanding KernelCare hasn't even patched for this yet?

    They did for AlmaLinux 9 for sure.

    Ah, the search/sort function isn't all that great. Searching for "2026-53359" or "CVE-2026-53359" doesn't bring up anything but if you hover over specific releases without specifying it specifically, you may see it mentioned. Good to know.

    https://patches.kernelcare.com/?cve=CVE-2026-53359&distro= this one works for me

    Thanked by 1MannDude
  • MannDudeMannDude Patron Provider, Veteran

    @tentor said:

    @MannDude said:

    @tentor said:

    @MannDude said:
    Wait, am I correct in understanding KernelCare hasn't even patched for this yet?

    They did for AlmaLinux 9 for sure.

    Ah, the search/sort function isn't all that great. Searching for "2026-53359" or "CVE-2026-53359" doesn't bring up anything but if you hover over specific releases without specifying it specifically, you may see it mentioned. Good to know.

    https://patches.kernelcare.com/?cve=CVE-2026-53359&distro= this one works for me

    Ah, perfect.

    Will look into it more and may implement fleet-wide this coming week. Cost is very reasonable for the overall peace of mind and for automating a relatively tedious (repetitive) task.

    I remember considering it some years ago just as an added-value feature in our earlier days but that was of course before the bi-weekly "Ah fuck, gotta go apply some updates right now." type of critical CVEs were dropping.

    Thanked by 1tentor
  • tentortentor Member, Host Rep

    Still, full hypervisor reboot to update the system cleanly with a live migration is the best option, but needs some spare capacity available, which I lack.

  • host_chost_c Patron Provider, Top Host, Megathread Squad
    edited July 12

    @tentor said:
    Still, full hypervisor reboot to update the system cleanly with a live migration is the best option, but needs some spare capacity available, which I lack.

    same here, yet even so, moving 320TB would take too long and doing that for a lot of nodes is not sustainable/efficient. it would take too much time.

    also. not all nodes have the same cpu freq, so most of the vps will end up in kernel crash.

    cleanest way is to just reboot the node, easy and it is what it is.

    Thanked by 1tentor
  • rskrsk Member, Host Rep

    @MannDude said:

    @tentor said:

    @MannDude said:

    @tentor said:

    @MannDude said:
    Wait, am I correct in understanding KernelCare hasn't even patched for this yet?

    They did for AlmaLinux 9 for sure.

    Ah, the search/sort function isn't all that great. Searching for "2026-53359" or "CVE-2026-53359" doesn't bring up anything but if you hover over specific releases without specifying it specifically, you may see it mentioned. Good to know.

    https://patches.kernelcare.com/?cve=CVE-2026-53359&distro= this one works for me

    Ah, perfect.

    Will look into it more and may implement fleet-wide this coming week. Cost is very reasonable for the overall peace of mind and for automating a relatively tedious (repetitive) task.

    I remember considering it some years ago just as an added-value feature in our earlier days but that was of course before the bi-weekly "Ah fuck, gotta go apply some updates right now." type of critical CVEs were dropping.

    Last I checked, they didn’t have it ready for rocky9 and debian12 unfortunately. However they were quick with deb 13 and el10.

  • forestforest Member

    @host_c said: also. not all nodes have the same cpu freq, so most of the vps will end up in kernel crash.

    That won't cause a kernel panic. If there's a panic when migrating, it will be due to something else (e.g. using host CPU passthrough while AVX512 is being used then being suddenly migrated to a system with only AVX2).

Sign In or Register to comment.