A use-after-free vulnerability (CVE-2026-53359) has been discovered in the KVM hypervisor of the Linux kernel, allowing a guest virtual machine to corrupt the state of the host kernel’s shadow pages. The vulnerable code has been present in the kernel since 2010 — for about 16 years. A public PoC exploit called Januscape demonstrates a reliable host crash, resulting in denial of service for all virtual machines on the physical server. The issue affects x86 hosts on Intel and AMD processors with nested virtualization enabled. A fix is available — administrators of multi-tenant KVM environments should prioritize applying the patch.
Technical details of the vulnerability
The bug is located in the shadow MMU code — the shadow page table mechanism that KVM uses to track guest memory. When attempting to reuse an existing shadow page, KVM matched it only by the guest frame number (GFN), but did not verify the type (role) of that page. Two different types of shadow pages can share the same address while serving completely different purposes. This could cause KVM to substitute a page of the wrong type, breaking the internal integrity of its data structures.
In most cases, the kernel detects the corruption and crashes — this is exactly what the public Januscape PoC demonstrates: a loadable kernel module in the guest VM triggers a host panic within seconds or minutes of race conditions. However, there is a more dangerous scenario: if a freed shadow page gets reallocated for other purposes before the cleanup runs, the cleanup routine writes a value into memory it no longer owns. According to the researcher, the attacker controls where the write occurs, although not the value being written — but even this limited primitive can be sufficient for further escalation.
The vulnerable code was introduced by commit 2032a93d66fa in August 2010 (Linux 2.6.36 era). The fix — commit 81ccda30b4e8 — was merged into the mainline on June 19, 2026. The patch author is KVM maintainer Paolo Bonzini. The fix is a one-line addition to the kvm_mmu_get_child_sp() function: the reuse condition now checks role.word alongside the GFN.
Exploitation conditions and threat scope
Two conditions must be met on the guest side for exploitation:
- Root privileges inside the VM — a common situation for rented cloud instances.
- Nested virtualization enabled on the host. Even if the host normally uses hardware EPT (Intel) or NPT (AMD), nested virtualization forces KVM to fall back to the legacy shadow MMU path, where the bug resides.
The exploit does not require interaction with QEMU or any other user-space VMM — this is a purely in-kernel KVM bug. The practical risk is concentrated in x86 environments serving untrusted tenants with access to nested virtualization. An attacker who rents a single such instance can bring down the host and disrupt all neighboring virtual machines on the same physical server.
According to the researcher, on distributions such as RHEL, where /dev/kvm has permissions 0666 (available to all users), the same bug can potentially be used for local privilege escalation to root, although the primary threat vector is guest-to-host escape.
It is worth noting that CVE-2026-53359 is already the second use-after-free vulnerability in the shadow MMU within two months. In May 2026, a similar but distinct issue, CVE-2026-46113, related to rmap mismatch in the same legacy code, was fixed. This points to systemic fragility in the legacy shadow MMU path.
Context: a series of disclosures by one researcher
Januscape is the third Linux kernel vulnerability disclosure by researcher Hyunwoo Kim (@v4bel) in roughly two months. In May 2026, he released Dirty Frag (CVE-2026-43284 / CVE-2026-43500) — a chain of vulnerabilities in page cache writes. In June, this was followed by ITScape (CVE-2026-46316) — the first publicly demonstrated guest-to-host escape on KVM/arm64 via a race condition in the virtual interrupt controller. Januscape completes the picture on the x86 side.
According to Kim, the exploit was submitted as a zero-day finding to the Google kvmCTF program, launched in 2024 and offering rewards of up to $250,000 for a full guest-to-host escape. However, this claim has not been confirmed by Google in public sources.
Practical recommendations
Stable kernel versions with the fix were released on July 4, 2026:
- 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, 5.10.260
Priority actions:
- Check for the patch. Make sure the kernel includes commit
81ccda30b4e8. Distribution backports may carry the fix under a different version number — check the package changelog, not just theuname -routput. - If immediate update is impossible, disable nested virtualization for untrusted guests via module parameters:
kvm_intel.nested=0orkvm_amd.nested=0. This fully eliminates the attack vector. - Review /dev/kvm access configuration. On systems where this device file is accessible to all users, consider restricting its permissions.
NVD has not yet assigned a CVSS score for CVE-2026-53359. ARM64 hosts are not affected by this vulnerability — ITScape (CVE-2026-46316) is a separate issue for KVM/arm64.
The public PoC shows a reliable host crash, and two shadow MMU vulnerabilities in two months signal an accumulated technical debt in KVM’s legacy code. Administrators of x86 KVM hosts with nested virtualization and multi-tenant access should treat upgrading the kernel to a fixed version as a high-priority task, without waiting for a CVSS rating.