Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3104 articles · 171978 vulns · 36/41 feeds (7d)
← Back to list
—
CVE-2026-53359EXPLOITEDPATCHED
linux · linux kernel

KVM: x86: Fix shadow paging use-after-free due to unexpected role

Description

A 16-year-old Linux kernel vulnerability, dubbed Januscape, allows attackers to escape a virtual machine and execute arbitrary code on the host. According to Hyunwoo Kim, the security researcher who discovered it, this guest-to-host escape flaw (tracked as CVE-2026-53359) stems from a use-after-free weakness in the shadow MMU emulation of KVM/x86, the kernel-based virtual machine built for x86 and x86_64 (AMD64) processor architectures. Januscape has been present in the Linux kernel for approximately 16 years before being patched in June 2026, and was used as a zero-day exploit in Google's kvmCTF vulnerability reward program (VRP). Successful exploitation allows attackers with root access inside a guest virtual machine (the default configuration on public cloud instances) to execute code as root on the host and take over all guests running on it or crash the host kernel (knocking every other tenant's virtual machine on the same server offline). Kim described Januscape as the first guest-to-host exploit that can be triggered on both Intel and AMD processor architectures, rather than being limited to a single platform, and noted that it poses a distinct risk to multi-tenant public cloud environments, such as those offered by Google Cloud and Amazon Web Services. "With guest-side actions alone, an attacker can compromise the host that runs their VM," Kim explained on Monday. "For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE)." On some Linux distros, such as Red Hat Enterprise Linux (RHEL), where /dev/kvm is world-writable, unprivileged attackers can also exploit CVE-2026-53359 to reliably gain root permissions on unpatched devices. Januscape demo (Hyunwoo Kim) The security researcher published a technical write-up and a proof-of-concept exploit that can trigger a host kernel panic, and said that a full guest-to-host escape exploit will not be released for the foreseeable future. Administrators running KVM/x86 hosts that accept multi-tenant guests should confirm that patch commit 81ccda30b4e8 has been applied to the host kernel to ensure the hosts are secure against attacks.

Affected Products

VendorProductVersions
linuxlinux kernel2032a93d66fa282ba0f2ea9152eeff9511fa9a96, 2032a93d66fa282ba0f2ea9152eeff9511fa9a96, 2032a93d66fa282ba0f2ea9152eeff9511fa9a96, 2032a93d66fa282ba0f2ea9152eeff9511fa9a96, 2032a93d66fa282ba0f2ea9152eeff9511fa9a96, 2032a93d66fa282ba0f2ea9152eeff9511fa9a96, 2.6.36, 6.1.176, 6.6.143, 6.12.94, 6.18.37, 7.1.2, 81ccda30b4e8

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
debiandebian linuxcert_advisory90%
linuxlinuxmitre_affected90%
open sourceopen source linux kernelcert_advisory90%

References

  • https://git.kernel.org/stable/c/b1337aae5e194324e4810d561764e7793f8b3864
  • https://git.kernel.org/stable/c/9291654d69e08542de37755cebe4d5b02c3170d1
  • https://git.kernel.org/stable/c/2ad3afa40ac6aa340dada122f9abfa46c0a6eb35
  • https://git.kernel.org/stable/c/5e470998a23e4c3d89ed24e8172cb22747e61efa
  • https://git.kernel.org/stable/c/1ae7d5a6db6c190ce183e3098ca0e0846e14d462
  • https://git.kernel.org/stable/c/81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb

Related News (9 articles)

Tier D
BleepingComputer3h ago
New Januscape Linux flaw allows VM escape on Intel, AMD devices
→ No new info (linked only)
Tier D
SecurityWeek5h ago
Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems
→ No new info (linked only)
Tier E
Reddit r/cybersecurity18h ago
Januscape (CVE-2026-53359): 16 year old Critical Linux KVM Guest-to-Host Escape, PoC Public
→ No new info (linked only)
Tier E
Lobsters Security21h ago
Januscape: Guest-to-Host Escape in KVM/x86
→ No new info (linked only)
Tier D
The Hacker News21h ago
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems
→ No new info (linked only)
Tier C
oss-security22h ago
Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)
→ No new info (linked only)
Tier B
BSI Advisories1d ago
[NEU] [mittel] Linux Kernel: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-53359 | Linux Kernel up to 7.1.2 KVM rmap_remove shadowed_translation[] use after free
→ No new info (linked only)
Tier C
Linux Kernel CVEs3d ago
CVE-2026-53359: KVM: x86: Fix shadow paging use-after-free due to unexpected role
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
81ccda30b4e8
CWECWE-416, CWE-20
PublishedJul 4, 2026
Last enriched2h agov7
Tags
KVMuse-after-freeguest-to-host escapeCVE-2026-53359KVM escapeRCEDoSIntelAMDmulti-tenantpublic cloudnested virtualizationzero-dayRHELkvmCTFvulnerability reward programmulti-tenant environmentsGoogle CloudAmazon Web Services
Trending Score81
Source articles9
Independent9
Info Completeness9/14
Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-43284EXPKEV
xfrm: esp: avoid in-place decrypt on shared skb frags
Trending: 149
HIGHCVE-2026-43500EXPKEV
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Trending: 141
HIGHCVE-2026-46242EXP
eventpoll: fix ep_remove struct eventpoll / struct file UAF
Trending: 63
CRITICALCVE-2026-53360EXP
KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
Trending: 56
HIGHCVE-2026-46300EXP
net: skbuff: preserve shared-frag marker during coalescing
Trending: 49

Pin to Dashboard

Verification

State: verified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 4, 2026
Discovered by ZDM
Jul 4, 2026
Actively Exploited
Jul 4, 2026
Exploit Available
Jul 4, 2026
Patch Available
Jul 4, 2026
Updated: affectedVersions
Jul 4, 2026
Updated: description, severity, cweIds, exploitAvailable, activelyExploited, tags
Jul 6, 2026
Updated: cweIds, tags
Jul 6, 2026
Updated: affectedVersions, tags
Jul 6, 2026
Updated: description, tags
Jul 7, 2026
Updated: description, patchAvailable, tags
Jul 7, 2026

Version History

v7
Last enriched 2h ago
v7Tier D2h ago

Updated description with more technical detail, specified patch commit 81ccda30b4e8, and added new relevant tags.

descriptionpatchAvailabletags
via BleepingComputer
v6Tier D4h ago

Updated description with detailed technical information and added new tags related to Intel, AMD, and public cloud vulnerabilities.

descriptiontags
via SecurityWeek
v5Tier E19h ago

Updated description with detailed technical information about the Januscape vulnerability and added new affected version and tags.

affectedVersionstags
via Lobsters Security
v4Tier D20h ago

Updated description with new technical details, added CVE-2026-53359, and included a new CWE.

cweIdstags
via The Hacker News
v3Tier C22h ago

Updated description with new technical details, changed product to KVM/x86, updated severity to HIGH, added CWE-416, and marked the vulnerability as actively exploited with an exploit available.

descriptionseveritycweIdsexploitAvailableactivelyExploitedtags
via oss-security
v2Tier C3d ago

Updated description with critical severity and new affected versions up to 7.1.2.

affectedVersions
via VulDB
v13d ago

Initial creation