{"id":14114,"date":"2026-07-07T10:03:36","date_gmt":"2026-07-07T10:03:36","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/07\/16-year-old-linux-kvm-vulnerability-allows-malicious-guest-to-corrupt-host-kernel-memory\/"},"modified":"2026-07-07T10:03:36","modified_gmt":"2026-07-07T10:03:36","slug":"16-year-old-linux-kvm-vulnerability-allows-malicious-guest-to-corrupt-host-kernel-memory","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/07\/16-year-old-linux-kvm-vulnerability-allows-malicious-guest-to-corrupt-host-kernel-memory\/","title":{"rendered":"16-Year-Old Linux KVM Vulnerability Allows Malicious Guest to Corrupt Host Kernel Memory"},"content":{"rendered":"<p>    16-Year-Old Linux KVM Vulnerability Allows Malicious Guest to Corrupt Host Kernel Memory<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A newly disclosed Linux <a href=\"https:\/\/cybersecuritynews.com\/linux-kernel-6-14-rc3\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kernel-based Virtual Machine (KVM)<\/a> vulnerability, tracked as CVE-2026-53359 and dubbed \u201cJanuscape,\u201d exposes a critical flaw that allows a malicious guest to corrupt host kernel memory, breaking the fundamental isolation guarantees of virtualization.<\/p>\n<p class=\"wp-block-paragraph\">The issue, which remained unnoticed for nearly 16 years, affects KVM\u2019s x86 shadow memory management logic and impacts both Intel and AMD systems.<\/p>\n<p class=\"wp-block-paragraph\">The vulnerability resides in KVM\u2019s shadow MMU (Memory Management Unit), specifically in its handling of nested virtualization.<\/p>\n<p class=\"wp-block-paragraph\">While modern systems typically rely on hardware-assisted paging such as Intel EPT or AMD NPT, KVM falls back to shadow paging when a guest hypervisor (L1) runs its own nested guest (L2).<\/p>\n<p class=\"wp-block-paragraph\">In this scenario, the host (L0) must emulate second-level address translation in software, exposing a fragile code path. At the core of Januscape is a logic flaw in the function that retrieves shadow page structures.<\/p>\n<p class=\"wp-block-paragraph\">The implementation incorrectly reuses an existing shadow page based solely on a matching guest frame number (GFN), without verifying the page\u2019s role.<\/p>\n<p class=\"wp-block-paragraph\">In KVM, shadow pages can represent different translation contexts, such as direct mappings or page table shadows. Reusing a page with the wrong role leads to inconsistencies in memory tracking.<\/p>\n<p class=\"wp-block-paragraph\">This mismatch breaks internal invariants in KVM\u2019s reverse mapping (rmap) system, which tracks how guest memory maps to host physical pages.<\/p>\n<h2 id=\"h-16-year-old-linux-kvm-vulnerability\" class=\"wp-block-heading\"><strong>16-Year-Old Linux KVM Vulnerability<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Over time, this inconsistency results in a <a href=\"https:\/\/cybersecuritynews.com\/use-after-free-vulnerability-linux-kernel\/\" target=\"_blank\" rel=\"noreferrer noopener\">use-after-free condition<\/a>, where a previously freed shadow page is still referenced.<\/p>\n<p class=\"wp-block-paragraph\">When the kernel later attempts to clean up this structure, it writes to memory that may have already been reallocated for another purpose, effectively corrupting kernel memory.<\/p>\n<p class=\"wp-block-paragraph\">The publicly released proof-of-concept demonstrates a denial-of-service (DoS) attack. By carefully orchestrating nested page table operations inside a guest, an attacker can trigger memory corruption that is detected by KVM\u2019s integrity checks.<\/p>\n<p class=\"wp-block-paragraph\">This leads to a kernel panic on the host, resulting in the entire system crashing. On systems with strict corruption checks enabled, such as those using CONFIG_BUG_ON_DATA_CORRUPTION, the crash is immediate and reliable.<\/p>\n<p class=\"wp-block-paragraph\">More concerning is the potential for full guest-to-host escape. Although not publicly released, researchers confirmed that the same flaw can be exploited to achieve arbitrary code execution on the host with root privileges.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/github.com\/V4bel\/Januscape\/raw\/main\/assets\/demo.gif?ssl=1\" alt=\"\"><\/figure>\n<p class=\"wp-block-paragraph\">This significantly increases the severity, especially in multi-tenant cloud environments such as<a href=\"https:\/\/cybersecuritynews.com\/attackers-abuse-cloud-services-malicious-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\"> AWS or Google Cloud<\/a>, where untrusted guests may be allowed to run with nested virtualization enabled.<\/p>\n<p class=\"wp-block-paragraph\">One notable aspect of Januscape is its cross-architecture impact. Because the vulnerable logic exists in shared x86 KVM code, the exploit works on both Intel (VMX) and AMD (SVM) platforms with minimal changes.<\/p>\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/github.com\/V4bel\/Januscape\/blob\/main\/assets\/write-up.md\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GitHub proof-of-concept abstracts<\/a> architecture-specific details, demonstrating reliable exploitation across both environments. The vulnerability was actively exploited as a zero-day in Google\u2019s kvmCTF before public disclosure, highlighting its real-world impact.<\/p>\n<p class=\"wp-block-paragraph\">Following responsible disclosure in June 2026, a patch was quickly developed and merged into the Linux kernel. The fix ensures that shadow pages are only reused when both the guest frame number and the page role match, eliminating the root cause of the confusion.<\/p>\n<p class=\"wp-block-paragraph\">Organizations running KVM-based virtualization are strongly advised to apply the patch immediately. Systems that expose nested virtualization to guest users are at the highest risk. Until patched, turning off nested virtualization can reduce exposure.<\/p>\n<p class=\"wp-block-paragraph\">Januscape underscores the risks hidden in legacy code paths within widely trusted infrastructure and highlights how subtle memory-management flaws can undermine even mature isolation mechanisms.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/16-year-old-linux-kvm-vulnerability\/\">16-Year-Old Linux KVM Vulnerability Allows Malicious Guest to Corrupt Host Kernel Memory<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/16-year-old-linux-kvm-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>16-Year-Old Linux KVM Vulnerability Allows Malicious Guest to Corrupt Host Kernel Memory A newly disclosed Linux Kernel-based Virtual Machine (KVM) vulnerability, tracked as CVE-2026-53359 and dubbed \u201cJanuscape,\u201d exposes a critical flaw that allows a malicious guest to corrupt host kernel memory, breaking the fundamental isolation guarantees of virtualization. The issue, which remained unnoticed for nearly [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-14114","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14114"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14114"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14114\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}