Google pays $250K for Linux vulnerability allowing guest VM escapes

A Linux vulnerability that permits untrusted virtual machines to realize root access to host machines is one in every of two high-severity flaws to surface this week within the open source operating system.

The vulnerability resides in KVM, which is, in essence, a virtual machine app included within the kernel of many Linux distributions. The vulnerability, tracked as CVE-2026-53359, allows guest virtual machines—akin to those utilized in cloud platforms to isolate one user’s instance from the host OS and other user instances—to interrupt out of that container.

Januscape: A threat to cloud platforms

The vulnerability affects KVM running on each AMD and Intel processors. It exploits bugs residing within the KVM guest-side, the portion of the VM that consists of only resources just like the OS or drivers present within the guest VM, slightly than resources present on the host machine. The threat went unnoticed within the Linux kernel for 16 years.

“With guest-side actions alone, an attacker can compromise the host that runs their VM,” Hyunwoo Kim, the researcher who discovered the flaw, wrote. “For instance, an attacker who has rented only a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the identical physical machine (DoS), or run code with root privilege on the host to take over the host and all of the guests on it (RCE).”

Kim has named the vulnerability Januscape. The flaw is a use-after-free vulnerability—a type of memory corruption vulnerability that injects malicious code into recently freed regions of memory. The vulnerability resides within the shadow MMU emulation, a process that translates host memory addresses to hypervisor memory addresses and vice versa.

Exploits will trigger guest-side actions alone to deprave the host kernel’s shadow page, an information structure within the host that assists within the address translation. Kim has released a proof-of-concept exploit that runs within the guest VM to trigger a crash on the host OS. He said an exploit that fully escapes the guest also exists but won’t be released until “the very distant future.”

Related Post

Leave a Reply