🔴 Critical  |  Source: The Hacker News


A 16-year-old use-after-free vulnerability in the Linux KVM hypervisor (CVE-2026-53359), dubbed ‘Januscape’, allows a guest virtual machine to corrupt host kernel memory and potentially escape its isolation boundary. The flaw affects both Intel and AMD x86 systems via shared shadow MMU code. A public proof-of-concept already causes host kernel panics, and the researcher claims a full working exploit exists but has not been released.

Security Architect’s Take: Prioritise patching Linux hosts running KVM-based workloads immediately, particularly in multi-tenant or shared cloud infrastructure environments where guest-to-host escape carries severe blast radius. If patches are unavailable, consider migrating sensitive workloads to alternative hypervisor platforms or isolating KVM hosts at the network level until remediation is confirmed.

Original advisory: 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems