A critical Linux vulnerability, tracked as CVE-2026-53359 and dubbed Januscape, has emerged, allowing untrusted virtual machines to gain root access to host machines. Discovered by researcher Hyunwoo Kim, this flaw, which affects KVM on both AMD and Intel processors, could enable attackers to compromise the host operating system. Google has awarded $250,000 for reporting this vulnerability.
Understanding the Januscape Vulnerability
The Januscape vulnerability exploits bugs in the KVM guest-side, which includes resources like the operating system or drivers within the guest VM. This critical flaw allows an attacker to escape their isolated environment and execute malicious code on the host OS, potentially impacting all tenants on the same physical machine.
According to Kim, “With guest-side actions alone, an attacker can compromise the host that runs their VM.” The vulnerability went unnoticed in the Linux kernel for 16 years, raising significant security concerns for users of cloud platforms that rely on KVM virtualization.
Mechanics of the Attack
This vulnerability is categorized as a use-after-free flaw, a type of memory corruption that allows malicious code to be injected into recently freed memory areas. The attack targets the shadow MMU emulation process, which translates memory addresses between the host and the hypervisor.



