16-Year-Old KVM Use-After-Free Lets Guests Escape to Cloud Hosts on Intel and AMD
Researcher Hyunwoo Kim disclosed Januscape (CVE-2026-53359), a use-after-free bug in the shadow MMU emulation of KVM/x86. A guest can corrupt the host kernel’s shadow page tables using guest-side actions alone, breaking the isolation that separates a virtual machine from the host that runs it. Notably, it fires on both Intel and AMD rather than a single architecture, and because the flaw lives in in-kernel KVM instead of QEMU’s device emulation, it also reaches clouds that run their own bespoke virtualization stacks. The bug was already proven as a working 0-day in Google’s kvmCTF.
The practical risk lands on multi-tenant x86 public clouds (GCP, AWS, and similar) that accept untrusted guests and expose nested virtualization. An attacker renting a single instance could panic the host to take down every co-located tenant (DoS) or, with the full escape, execute code as root on the host and seize all guests on the machine (RCE). Triggering the released proof-of-concept requires loading a kernel module inside the guest — trivial on a cloud VM where you already have root, otherwise chainable with a local privilege escalation. On distributions like RHEL where /dev/kvm is world-writable (0666), the same bug doubles as a reliable unprivileged path to root on the local host.
The vulnerability sat dormant for roughly 16 years, spanning kernels from 2010 up to the June 2026 fix. The public PoC only induces a host kernel panic; the reliable full-escape exploit exists but is being withheld indefinitely. Operators of x86 KVM hosts that take multi-tenant guests with nested virtualization — and users running on top of them — should confirm the patch (commit 81ccda30b4e8) is applied. arm64 hosts aren’t affected by this bug, though the author notes unpatched systems remain exposed to the earlier ITScape flaw (CVE-2026-46316).
Read the full article
Continue reading at Hacker News →This is an AI-generated summary. Read the original for the full story.