Close Menu
    What's Hot

    ‘Excited but Shocked’: U.S. Soccer Fans Struggle With Trump’s FIFA Call

    Platner Will Take Time to ‘Reflect’ on Campaign After Sexual Assault Accusation

    Canada Bets on NATO Partners for Its Expanded Submarine Fleet

    Facebook X (Twitter) Instagram
    Trending
    • ‘Excited but Shocked’: U.S. Soccer Fans Struggle With Trump’s FIFA Call
    • Platner Will Take Time to ‘Reflect’ on Campaign After Sexual Assault Accusation
    • Canada Bets on NATO Partners for Its Expanded Submarine Fleet
    • 👀 Potential Spain vs. US clash – Live Updates
    • Prosecutors in US lay out case against alleged killer of Charlie Kirk | Courts News
    • Sony Bravia 7 Mark II: Midrange but Priced High (2026)
    • Richard H. Glanton, Combative Head of Barnes Foundation, Dies at 79
    • Element Solutions Inc (ESI) M&A Call Transcript
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems

    adminBy adminJuly 6, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems
    Share
    Facebook Twitter LinkedIn Pinterest Email

    16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems

    A use-after-free bug in Linux’s KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it.

    Dubbed ‘Januscape’ and tracked as CVE-2026-53359, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD. The public proof-of-concept panics the host; the researcher claims that a separate, unreleased exploit turns the same bug into full host code execution.

    Security researcher Hyunwoo Kim (@v4bel) found and reported the bug. He described Januscape as the first guest-to-host exploit triggerable on both Intel and AMD, to the best of public knowledge. The flaw went unnoticed for roughly 16 years.

    According to Kim, the exploit was used as a zero-day submission in Google’s kvmCTF, the controlled KVM vulnerability reward program that offers up to $250,000 for full guest-to-host escapes.

    How It Works

    To run a virtual machine, KVM keeps its own private set of page tables that mirror the guest’s memory layout. When it needs one of these tracking pages, it looks for an existing one to reuse.

    The problem: it matched them by memory address alone and ignored what type of tracking page it was grabbing. Two different types can share the same address but do completely different jobs, so KVM would sometimes reuse the wrong kind.

    Cybersecurity

    That mix-up scrambles KVM’s internal records of which page belongs where, and once those records are wrong, something has to give.

    Most of the time, the kernel notices the mess and shuts itself down on the spot to avoid doing damage. That crash is what the public demonstration triggers: a guest can knock over the whole host, taking every other VM on that machine down with it.

    The rarer, worse case happens when the freed tracking page gets handed out for another use before the kernel cleans up. The cleanup then scribbles a value into memory it no longer owns. An attacker only controls where that write lands, not what gets written, but even that limited foothold can be worked up into running code on the host.

    The flaw behaves the same on Intel and AMD chips; only the final, hardest step of turning it into full control takes different work on each.

    Who Is Affected

    The vulnerable code has been present since commit 2032a93d66fa in August 2010 (kernel 2.6.36 era) and was fixed by commit 81ccda30b4e8, merged into mainline on June 19, 2026.

    The attack requires two things from the guest side: root inside the VM, a common condition on rented cloud instances, and nested virtualization exposed by the host. Even on hosts that run hardware EPT or NPT by default, nested virtualization forces KVM back through the legacy shadow MMU, which is where the bug sits.

    The exploit needs no cooperation from QEMU or any userspace VMM. It is purely an in-kernel KVM bug.

    The practical concern is any x86 environment that hosts untrusted guests with nested virtualization enabled. An attacker who rents a single such instance can panic the host, taking down every other tenant VM on the same physical machine.

    Kim said the withheld full exploit runs code as root on the host, which would expose other guests on the same machine to that root access. On distributions like RHEL, where /dev/kvm is world-writable (0666), Kim noted the same bug could also serve as a local privilege escalation to root, though the guest-to-host path is the higher-impact use.

    A Busy Few Months for One Researcher

    Januscape is Kim’s third Linux kernel exploit disclosure in roughly two months. In May 2026, he disclosed Dirty Frag (CVE-2026-43284 / CVE-2026-43500), a page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail.

    In June, he published ITScape (CVE-2026-46316), the first publicly demonstrated guest-to-host escape on KVM/arm64, exploiting a race condition in the virtual interrupt controller. Januscape now adds the x86 side; the same trigger fires on both Intel and AMD, with the PoC carrying a separate code path for each vendor.

    Cybersecurity

    Google launched kvmCTF in 2024 specifically because KVM underpins both Android and Google Cloud. A separate KVM x86 shadow paging use-after-free (CVE-2026-46113) involving a related but distinct rmap mismatch was fixed in May 2026.

    That makes two shadow MMU use-after-frees in the same legacy code path within two months.

    What to Do

    The fix is a one-line addition to kvm_mmu_get_child_sp(): the reuse condition now checks role.word alongside the gfn, so a shadow page is only reused when both the frame number and the role match. KVM maintainer Paolo Bonzini wrote the patch.

    Fixed stable versions shipped on July 4, 2026: 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, and 5.10.260. NVD has not yet assigned a CVSS score; do not wait for one.

    If you operate an x86 KVM host that accepts multi-tenant guests with nested virtualization, confirm that your kernel includes commit 81ccda30b4e8. Distribution backports may carry the fix under a different version number, so check the package changelog rather than relying on uname -r alone.

    If you cannot patch immediately, disabling nested virtualization (kvm_intel.nested=0 or kvm_amd.nested=0) removes the attack path for untrusted guests. ARM64 hosts are not affected by Januscape; ITScape (CVE-2026-46316) is a separate KVM/arm64 issue.

    The public PoC demonstrates a reliable host panic from a guest with a loadable kernel module and seconds to minutes of racing. Treat exposed x86 KVM hosts with nested virtualization as high-priority patch targets.

    16yearold AMD escape flaw guest host Intel KVM Lets Linux systems VMs x86
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleKlarna wants to become a bank. Here’s what that could mean for millions of customers
    Next Article Tyson Fury vs Anthony Joshua fight can take place at Wembley Stadium if authorities agree to later start time, says Turki Alalshikh | Boxing News
    admin
    • Website

    Related Posts

    Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

    July 6, 2026

    Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More

    July 6, 2026

    6 Capabilities That Separate Leaders from Bolt-On AI solutions

    July 6, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    ‘Excited but Shocked’: U.S. Soccer Fans Struggle With Trump’s FIFA Call

    Platner Will Take Time to ‘Reflect’ on Campaign After Sexual Assault Accusation

    Canada Bets on NATO Partners for Its Expanded Submarine Fleet

    👀 Potential Spain vs. US clash – Live Updates

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by