
A 16-year-old use-after-free bug in Linux’s KVM hypervisor lets a malicious guest virtual machine corrupt host kernel memory — and potentially escape to the host entirely. CVE-2026-53359 (“Januscape”), patched in stable kernels on July 4, affects every Intel and AMD x86 system running KVM since kernel 2.6.36 (August 2010). If you run VMs on Linux — bare metal, Proxmox, OpenStack, or any cloud exposing nested virtualization — patch today.
What Januscape Actually Does
The bug lives in kvm_mmu_get_child_sp() inside arch/x86/kvm/mmu/mmu.c, deep in KVM’s shadow MMU code. When KVM retrieves a cached shadow page from its hash table, it matched by guest frame number (gfn) — but failed to check whether the page’s execution role also matches.
When a guest page table transitions from a 2MB huge page to a standard 4KB page directory, KVM reused the existing shadow page structure despite the role mismatch. The shadow page gets freed, but a stale rmap connection survives. That’s the UAF. An attacker inside a guest VM can steer that mismap to point at host memory of their choosing — and that’s the escape path.
The fix is one line: kvm_mmu_get_child_sp() now checks role.word alongside gfn before reuse. The bug lived for 16 years not because KVM development is sloppy — the shadow MMU is one of the most complex subsystems in the kernel — but because checking identity by a single attribute when the real invariant requires two is an easy conceptual error to carry forward.
The Gotcha: You Need Two Patches
Patching CVE-2026-53359 alone is not enough — and this is where many admins will make a mistake.
CVE-2026-46113 is a companion bug in the same code path, first partially addressed in May 2026. That fix corrected the gfn check but left an adjacent role.word hole open. Both commits are required to close Januscape:
- commit 81ccda30b4e8 — CVE-2026-53359 (the escape fix)
- commit 0cb2af2ea66a — CVE-2026-46113 (the frame-number companion fix)
If your CVE scanner checks IDs individually and only flags 53359 as patched, you may walk away thinking you’re covered while still being fully exploitable. The July 4 stable kernel releases bundle both patches together — if you’re on a fixed kernel version, you have both. If you’re applying patches manually to an older kernel, check for both CVE IDs explicitly.
Who Is Affected and How Bad Is It
Januscape triggers on both Intel (VMX/EPT) and AMD (SVM/NPT) — the first publicly known guest-to-host exploit that works across both architectures. Any Linux host running KVM from kernel 2.6.36 onward is in scope: Proxmox, OpenStack, oVirt, QEMU/libvirt, and any cloud platform that exposes nested virtualization to tenants.
On exploit status: a public proof-of-concept demonstrates the host-crash path — a guest module races the host into a kernel panic within seconds. Researcher Hyunwoo Kim (@v4bel) disclosed that the bug was weaponized during Google’s kvmCTF competition before going public, and explicitly named GCP and AWS as threatened platforms. A full guest-to-host RCE exploit is claimed but has not been released.
That last point is a clock. Once a full exploit is public, unpatched hosts become immediate targets for any attacker with guest VM access.
Patch Now: Fixed Kernel Versions
The following stable releases shipped July 4, 2026 with both CVE-2026-53359 and CVE-2026-46113 fixes applied:
- 7.1.3
- 6.18.38
- 6.12.95
- 6.6.144
- 6.1.177
- 5.15.211
- 5.10.260
Platform-specific notes:
- Proxmox VE: Update the
pve-kernelpackage — do not rely solely on the upstream kernel package - CloudLinux: Live kpatch available (no reboot required); verify with
kcarectl --patch-info | grep -E 'CVE-2026-53359|CVE-2026-46113' - Ubuntu: Check the Ubuntu CVE tracker; patches rolling out per-release
- Red Hat, AlmaLinux, Rocky Linux, Oracle Linux: RHSA pending — watch your vendor advisory page for the errata
If You Cannot Patch Today
Disable nested virtualization to remove the primary attack surface:
# Intel hosts
echo "options kvm_intel nested=0" | sudo tee /etc/modprobe.d/kvm-no-nested.conf
# AMD hosts
echo "options kvm_amd nested=0" | sudo tee /etc/modprobe.d/kvm-no-nested.conf
# Reload modules (or reboot)
sudo modprobe -r kvm_intel && sudo modprobe kvm_intel
Verify your current nested virtualization status:
for p in /sys/module/kvm_intel/parameters/nested /sys/module/kvm_amd/parameters/nested; do
[ -e "$p" ] && printf "%s=%s\n" "$p" "$(tr -d '\n' < "$p")"
done
Also restrict /dev/kvm permissions if unprivileged users have access — this closes a local privilege escalation path independent of the hypervisor escape.
The Bigger Picture
Januscape is a reminder that hypervisor isolation is not a guarantee — it’s a property that has to be actively maintained. The KVM shadow MMU has been reviewed by some of the best kernel engineers in the world, and a critical role-confusion bug still hid there for 16 years. Responsible disclosure worked here: @v4bel reported privately, patches landed in stable kernels before a full exploit went public. But the two-patch requirement is a real operational trap, and distribution patches are still catching up days after the upstream fix shipped.
Patch. Verify both CVE IDs. Don’t assume your cloud provider has handled it — check your kernel version yourself and confirm the fix is in.













