16-Year-Old Linux KVM Vulnerability Allows Malicious Guest to Corrupt Host Kernel Memory

16-Year-Old Linux KVM Vulnerability Allows Malicious Guest to Corrupt Host Kernel Memory










A newly disclosed Linux Kernel-based Virtual Machine (KVM) vulnerability, tracked as CVE-2026-53359 and dubbed “Januscape,” exposes a critical flaw that allows a malicious guest to corrupt host kernel memory, breaking the fundamental isolation guarantees of virtualization.

The issue, which remained unnoticed for nearly 16 years, affects KVM’s x86 shadow memory management logic and impacts both Intel and AMD systems.

The vulnerability resides in KVM’s shadow MMU (Memory Management Unit), specifically in its handling of nested virtualization.

While modern systems typically rely on hardware-assisted paging such as Intel EPT or AMD NPT, KVM falls back to shadow paging when a guest hypervisor (L1) runs its own nested guest (L2).

In this scenario, the host (L0) must emulate second-level address translation in software, exposing a fragile code path. At the core of Januscape is a logic flaw in the function that retrieves shadow page structures.

The implementation incorrectly reuses an existing shadow page based solely on a matching guest frame number (GFN), without verifying the page’s role.

In KVM, shadow pages can represent different translation contexts, such as direct mappings or page table shadows. Reusing a page with the wrong role leads to inconsistencies in memory tracking.

This mismatch breaks internal invariants in KVM’s reverse mapping (rmap) system, which tracks how guest memory maps to host physical pages.

16-Year-Old Linux KVM Vulnerability

Over time, this inconsistency results in a use-after-free condition, where a previously freed shadow page is still referenced.

When the kernel later attempts to clean up this structure, it writes to memory that may have already been reallocated for another purpose, effectively corrupting kernel memory.

The publicly released proof-of-concept demonstrates a denial-of-service (DoS) attack. By carefully orchestrating nested page table operations inside a guest, an attacker can trigger memory corruption that is detected by KVM’s integrity checks.

This leads to a kernel panic on the host, resulting in the entire system crashing. On systems with strict corruption checks enabled, such as those using CONFIG_BUG_ON_DATA_CORRUPTION, the crash is immediate and reliable.

More concerning is the potential for full guest-to-host escape. Although not publicly released, researchers confirmed that the same flaw can be exploited to achieve arbitrary code execution on the host with root privileges.

This significantly increases the severity, especially in multi-tenant cloud environments such as AWS or Google Cloud, where untrusted guests may be allowed to run with nested virtualization enabled.

One notable aspect of Januscape is its cross-architecture impact. Because the vulnerable logic exists in shared x86 KVM code, the exploit works on both Intel (VMX) and AMD (SVM) platforms with minimal changes.

The GitHub proof-of-concept abstracts architecture-specific details, demonstrating reliable exploitation across both environments. The vulnerability was actively exploited as a zero-day in Google’s kvmCTF before public disclosure, highlighting its real-world impact.

Following responsible disclosure in June 2026, a patch was quickly developed and merged into the Linux kernel. The fix ensures that shadow pages are only reused when both the guest frame number and the page role match, eliminating the root cause of the confusion.

Organizations running KVM-based virtualization are strongly advised to apply the patch immediately. Systems that expose nested virtualization to guest users are at the highest risk. Until patched, turning off nested virtualization can reduce exposure.

Januscape underscores the risks hidden in legacy code paths within widely trusted infrastructure and highlights how subtle memory-management flaws can undermine even mature isolation mechanisms.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

The post 16-Year-Old Linux KVM Vulnerability Allows Malicious Guest to Corrupt Host Kernel Memory appeared first on Cyber Security News.






Abinaya





Go to cyber-security-news





by