Linux KVM Bug Allows Guest-to-Host Escape on Intel and AMD x86 Systems
A newly disclosed vulnerability in Linux’s Kernel-based Virtual Machine (KVM) could let a malicious guest virtual machine interfere with the host system and, in some cases, break out of the guest envi...
A newly disclosed vulnerability in Linux’s Kernel-based Virtual Machine (KVM) could let a malicious guest virtual machine interfere with the host system and, in some cases, break out of the guest environment entirely. The issue, tracked as CVE-2026-53359 and nicknamed Januscape, affects the shadow MMU code used by KVM on both Intel and AMD x86 platforms.
Security researcher Hyunwoo Kim reported the flaw after finding that KVM could confuse one type of shadow page for another when reusing memory. That mistake can corrupt the hypervisor’s internal bookkeeping. In the most common outcome, the host kernel detects the inconsistency and crashes, which can take down every VM running on the same machine. According to the researcher, a more advanced exploit path can turn the same flaw into host code execution.
Why the bug matters
The bug has reportedly existed since kernel code added in 2010 and remained unnoticed for roughly 16 years. It does not require help from QEMU or other user-space virtualization software, and it can be reached from inside a guest that has root access and nested virtualization enabled on the host.
- Works against Linux KVM on x86 systems from both Intel and AMD
- Can be triggered from a guest VM with root privileges
- Uses the legacy shadow MMU path when nested virtualization is enabled
- May lead to host crashes or, in a more complex exploit, host compromise
Google’s kvmCTF bug bounty program was one venue where the issue was submitted. The public proof-of-concept currently demonstrates a host panic, while the researcher says a separate unreleased exploit achieves full host execution.
Fix and mitigation
The vulnerability was corrected by a small change to KVM’s page reuse logic so that the frame number and page role must both match before a shadow page is reused. The fix reached mainline stable kernels on July 4, 2026, with backports appearing in several supported releases.
Administrators running multi-tenant x86 KVM environments should verify that their kernels include the patch, especially where nested virtualization is exposed to untrusted guests. If patching is delayed, disabling nested virtualization can remove the attack path.
ARM64 systems are not affected by this issue, though a separate KVM/arm64 escape has also been reported independently.
