Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Linux KVM Vulnerability (CVE-2024-4655) Exposes Host Kernel Memory
July 7, 2026
Critical Tenda Vulnerability Allows Remote Admin Access
July 7, 2026
Critical BeyondTrust Vulnerabilities Allow Access Control Bypass
July 7, 2026
Home/CyberSecurity News/Critical Linux KVM Vulnerability (CVE-2024-4655) Exposes Host Kernel Memory
CyberSecurity News

Critical Linux KVM Vulnerability (CVE-2024-4655) Exposes Host Kernel Memory

Key Takeaways A critical vulnerability, CVE-2026-53359, dubbed “Januscape,” has been identified in Linux KVM, allowing malicious guest VMs to corrupt host kernel memory. This flaw,...

David kimber
David kimber
July 7, 2026 3 Min Read
2 0

Key Takeaways

  • A critical vulnerability, CVE-2026-53359, dubbed “Januscape,” has been identified in Linux KVM, allowing malicious guest VMs to corrupt host kernel memory.
  • This flaw, present for nearly 16 years, affects KVM’s x86 shadow memory management on both Intel and AMD systems, primarily impacting nested virtualization scenarios.
  • While a public proof-of-concept demonstrates a denial-of-service, researchers confirm the potential for full guest-to-host escape and arbitrary code execution with root privileges.
  • A patch was developed and merged into the Linux kernel following responsible disclosure in June 2026, and immediate application is strongly recommended.

Critical KVM Vulnerability “Januscape” Exposes Host Kernel Memory

A significant security flaw, identified as CVE-2026-53359 and named “Januscape,” has been uncovered within the Linux Kernel-based Virtual Machine (KVM). This vulnerability permits a malicious guest operating system to corrupt the memory of its host kernel, thereby compromising the fundamental isolation principles inherent to virtualization.

Table Of Content

  • Key Takeaways
  • Critical KVM Vulnerability “Januscape” Exposes Host Kernel Memory
  • The Root of the Januscape Flaw
  • From Inconsistency to Kernel Corruption
  • What You Should Do

The issue, which has eluded detection for approximately 16 years, resides within KVM’s x86 shadow memory management logic, impacting both Intel and AMD processor architectures.

The Root of the Januscape Flaw

The vulnerability’s origin lies in KVM’s shadow Memory Management Unit (MMU), specifically in how it handles nested virtualization. While contemporary systems generally leverage hardware-assisted paging mechanisms like Intel EPT or AMD NPT, KVM reverts to software-based shadow paging when a guest hypervisor (L1) hosts its own nested guest (L2).

In this particular configuration, the host system (L0) is tasked with emulating second-level address translation via software, creating a susceptible code path. Januscape’s core issue is a logical defect within the function responsible for retrieving shadow page structures.

The implementation erroneously reuses an existing shadow page based solely on a matching guest frame number (GFN), without adequately verifying the page’s designated role. Within KVM, shadow pages can represent diverse translation contexts, such as direct mappings or page table shadows. The reuse of a page with an incorrect role leads to critical inconsistencies in memory tracking.

This discrepancy disrupts internal invariants within KVM’s reverse mapping (rmap) system, which is crucial for tracking how guest memory maps to host physical pages.

From Inconsistency to Kernel Corruption

Over time, this persistent inconsistency culminates in a use-after-free condition, where a previously deallocated shadow page remains referenced. When the kernel subsequently attempts to clean up this structure, it writes to memory that may have already been reallocated for another purpose, effectively leading to kernel memory corruption.

A publicly available proof-of-concept demonstrates a denial-of-service (DoS) attack. By meticulously orchestrating nested page table operations from within a guest, an attacker can trigger memory corruption, which is then detected by KVM’s integrity checks. This detection results in a kernel panic on the host, causing the entire system to crash. On systems configured with stringent corruption checks, such as those utilizing CONFIG_BUG_ON_DATA_CORRUPTION, the crash is immediate and reliably triggered.

More alarmingly, researchers have confirmed that the same flaw can be exploited to achieve full guest-to-host escape, allowing arbitrary code execution on the host with root privileges, though this exploit has not been publicly released. This significantly elevates the severity of the vulnerability, particularly in multi-tenant cloud environments like AWS or Google Cloud, where untrusted guests might be permitted to operate with nested virtualization enabled.

A notable characteristic of Januscape is its cross-architecture impact. Given that the vulnerable logic resides in shared x86 KVM code, the exploit functions on both Intel (VMX) and AMD (SVM) platforms with only minor adjustments. The GitHub proof-of-concept abstracts architecture-specific details, showcasing reliable exploitation across both environments. The vulnerability was reportedly exploited as a zero-day in Google’s kvmCTF prior to its public disclosure, underscoring its real-world implications.

Following responsible disclosure in June 2026, a corrective patch was swiftly developed and integrated into the Linux kernel. The fix ensures that shadow pages are only reused when both the guest frame number and the page’s role precisely match, thereby eliminating the underlying cause of the confusion.

What You Should Do

  • Organizations employing KVM-based virtualization are strongly advised to apply the latest Linux kernel patch immediately.
  • Systems that provide nested virtualization capabilities to guest users face the highest risk and should prioritize patching.
  • As a temporary mitigation, consider disabling nested virtualization if immediate patching is not feasible, though this may impact functionality for some users.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchVulnerabilityzero-day

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical Tenda Vulnerability Allows Remote Admin Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Next-Generation Firewall Solutions for 2026
July 6, 2026
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us