Skip to main content
SecurityJuly 13, 20267 min read

A 16-Year-Old KVM Bug Called Januscape Lets a Guest VM Break Out to the Host on Intel and AMD

Januscape (CVE-2026-53359) is a 16-year-old use-after-free in the Linux KVM shadow MMU on both Intel and AMD, rated a guest-to-host escape by Canonical. The public proof of concept crashes the host from inside a guest, while full host takeover is claimed but not published. Upstream fixed it on July 4, but distro kernels are still pending. Here is who is exposed, the nested-virtualization mitigation, and what to do now.

A Guest VM Breaking Into Its Host, on Both Intel and AMD

A newly disclosed Linux KVM vulnerability called Januscape, tracked as CVE-2026-53359, lets a hostile virtual machine reach out of its own sandbox and attack the host underneath it. It affects the KVM hypervisor on both Intel and AMD x86 systems, the vulnerable code has been present for about 16 years, and upstream fixes only landed on July 4, 2026. As of this writing the distribution kernels most people actually run, Ubuntu among them, are still catching up, which is the uncomfortable part.

Before anything else, one precise distinction, because the headlines blur it. Januscape is a guest-to-host escape class vulnerability, and Canonical labels it exactly that. But the exploit that is public today does not take over the host, it crashes it. The full host-takeover version is claimed by the researcher and has not been published. That gap matters for how you should react, so this is a calm triage: what the bug is, what is actually public versus claimed, who is genuinely exposed, and what to do while the kernel you run is still pending.

What the Bug Actually Is

Januscape is a use-after-free in the shadow memory-management unit that KVM uses on x86, the shared code path that sits under both Intel VT-x and AMD-V. In broad terms, a malicious guest can drive KVM into reusing a cached shadow page-table entry that no longer matches the mapping being built, leaving a stale reverse-map pointer into memory the hypervisor later frees. From inside the guest, that is a lever against the host kernel's own memory.

Two things make it notable. First, it lives in shared MMU code, so it hits Intel and AMD alike, which is unusual for this class of bug and part of why it drew attention. Second, it is old: the vulnerable code traces back to Linux 2.6.36, released around 2010, so it has been quietly present through roughly 16 years of kernels. It was found by security researcher Hyunwoo Kim and submitted through Google's kvmCTF program, the controlled contest that pays up to 250,000 US dollars specifically for full guest-to-host escapes.

Escape Versus Crash, Stated Plainly

This is the part worth getting right, because it sets your urgency without letting you off the hook.

What is public right now is a proof of concept that reliably panics the host from inside a guest, within seconds to minutes. That is a denial-of-service capability: a single tenant can knock over the shared machine, and every other workload on it, at will. On multi-tenant infrastructure that alone is serious.

What is claimed but not public is the full escape, host code execution driven from the guest, which the researcher says a separate, unreleased exploit achieves. Canonical rates the issue High and describes it in its own tracker as a guest-to-host escape, and the kvmCTF context supports that this is escape class, not merely a crash. So the honest summary is this: treat it as a real escape, because the class and the sources say so, but understand that the weaponized code circulating today is a host-crashing denial of service, not a published host takeover. Plan for the escape, expect the crash.

Who Is Actually at Risk

The exposure is narrower than every Linux machine, and the shape of it points straight at the fix. Two conditions have to hold. The attacker needs root inside a guest, so they must already control a VM, and the host has to expose nested virtualization to that guest. Nested virtualization is the escape path. Turn it off and the door this bug opens is closed.

That ranks the risk cleanly:

  • Highest: anyone running untrusted or multi-tenant guests on KVM with nested virtualization enabled. Public cloud and VPS hosts, shared virtualization platforms, Proxmox and similar KVM-based hosts that hand nested virt to customers, and CI systems that run nested VMs for isolation.
  • Real but self-contained: single-tenant hosts where you control every guest. The crash is still a stability bug worth patching, but there is no hostile tenant there to launch it.
  • Low: KVM hosts that do not expose nested virtualization to guests at all, which for many workloads is the default.

If you do not know whether your hosts hand nested virtualization to guests, that is the first thing to find out, because it decides both your risk and your quickest mitigation.

The Patch Gap, and Why It Is Two Bugs

Upstream stable kernels with the fix shipped on July 4, 2026, across the maintained lines. The problem is the gap between upstream and the kernel your distribution actually ships. Canonical's tracker, at the time of writing, still shows the fix pending across Ubuntu releases, including the cloud kernel variants for AWS, Azure, and Google Cloud. Other distributions are on their own timelines. Until the kernel you run carries the fix, you are exposed, which is exactly why the mitigation matters.

There is also a detail that trips up anyone cherry-picking commits. Fixing Januscape properly takes two coupled patches, not one: the escape fix tracked as CVE-2026-53359 and a companion frame-number fix tracked as CVE-2026-46113. Both are required. The practical instruction is to take your distribution's kernel update, which carries the pair, rather than backporting a single commit and believing you are done.

What to Do

The steps are ordered by how fast they close the risk.

  • Mitigate now if you expose nested virtualization to untrusted guests. Canonical's recommended workaround is to disable nested virtualization on the host by setting the KVM modules with nesting off, in a modprobe configuration such as one under /etc/modprobe.d, using nested=0 for both the kvm_intel and kvm_amd modules, then reloading the module or rebooting. Confirm that no guest actually depends on nested virtualization before you do this in production.
  • Find your exposure. Inventory which hosts run KVM and which of them expose nested virtualization to guests you do not fully control. Those are the ones that matter.
  • Patch as soon as your distribution ships the fixed kernel, verify it addresses both CVE-2026-53359 and CVE-2026-46113, then reboot into it. A kernel update you have not rebooted into is not applied.
  • Prioritize by tenancy. Multi-tenant and customer-facing KVM hosts first, internal single-tenant hosts after. The mitigation buys time on the urgent ones so you are not forced into an emergency kernel roll.

The pattern is the familiar one for a hypervisor bug with a public crasher and a claimed escape. If you run other people's VMs on shared KVM hosts, this is a mitigate-today and patch-this-week item. If every guest is your own, it is a normal patch on the next kernel update. Either way, the nested-virtualization switch is the lever you control while the kernel catches up.

If you run virtualization at scale and want a fast read on which of your hosts expose nested virt, which tenants are actually untrusted, and how to sequence the mitigation and the kernel roll without taking workloads down, that is exactly the triage our security and compliance and server management work handles. For a companion case from the same week, a local-root kernel bug with the same public-crasher and claimed-escalation shape, see our note on the GhostLock kernel flaw.

Sources

Talk to the engineer who will own your stack.

No account managers, no offshore handoff. Senior DevOps, direct. Tell us what you are dealing with and you get a straight answer.