INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Januscape Exploit Enables Guest VM Escape Attacks
| 2026-07-07 07:07 CRITICAL HIGHExecutive Summary AI-generated
The Linux kernel's KVM virtualization technology has been compromised with a 16-year-old bug that enables cloud VM escape attacks. The vulnerability, known as CVE-2026-53359 and named Januscape, was first discovered in August 2010 but remained unpatched until now. Once exploited, it allows attackers to corrupt host kernel memory, potentially leading to crashes or allowing control over the system. This bug affects ARM64 KVM hosts, which are not affected by a separate guest-to-host issue on that architecture. The vulnerability has been identified as Kim's third significant Linux kernel exploit in roughly two months and is considered critical due to its potential impact on cloud VMs and nested virtualization systems like x86 public clouds such as Google Compute Platform (GCP) and Amazon Web Services (AWS).
Technical Mitigations AI-generated
* Implement a memory protection mechanism, such as address space layout randomization (ASLR) or data execution prevention (DEP), to prevent guest VMs from accessing host kernel memory directly.
* Use a secure hypervisor architecture that includes features like kernel segmentation and isolation, which can help limit the damage caused by a guest-to-host KVM exploit.
* Regularly update and patch Linux distributions running on x86 systems to ensure they have the latest security fixes and patches for known vulnerabilities like Januscape.
* Implement a robust privilege separation mechanism between guests and hosts, such as using separate kernel namespaces or virtualization stacks, to prevent nested virtualization attacks from escaping into the host kernel.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-46316CVE-2026-46316
CVE-2026-43284CVE-2026-43284
CVE-2026-43500CVE-2026-43500
CVE-2026-46113CVE-2026-46113
CVE-2026-53359CVE-2026-53359
Target & Sectors
Global Scope
technologytechnology
Incident Timeline
2010/08/01
Threat actors exploited a 16-year-old Linux KVM bug in Januscape to target cloud VMs.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-53359
“Januscape (CVE-2026-53359) covers the range from
2032a93d66fa (2010-08-01)
to
81ccda30b4e8 (2026-06-16)
.”
August 2010
The incident affects Linux kernel versions prior to 2.6.36, specifically commit 2032a93d66fa in August 2010 and later commits that merged into mainline on June 19, 2023.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-53359
The bug, tracked as CVE-2026-53359 and named Januscape, has been sitting in the kernel since August 2010.
infrastructure
2.6.36
Who Is Affected
The vulnerable code has been present since
commit 2032a93d66fa
in August 2010 (kernel 2.6.36 era) and was fixed by
commit 81ccda30b4e8
, merged into mainline on June 19, 2026.
infrastructure
Linux
Kernel-based Virtual Machine (KVM) is a virtualization technology built directly into the Linux kernel that allows one physical computer to run multiple independent virtual machines (VMs).
Once KVM’s internal records become incorrect, the Linux kernel may handle invalid data, causing crashes or potentially allowing an attacker to gain control.
organisation
Kernel
Kernel-based Virtual Machine (KVM) is a virtualization technology built directly into the Linux kernel that allows one physical computer to run multiple independent virtual machines (VMs).
organisation
Virtual Machine
Kernel-based Virtual Machine (KVM) is a virtualization technology built directly into the Linux kernel that allows one physical computer to run multiple independent virtual machines (VMs).
organisation
Google’s kvmCTF
Kim used it as a zero-day submission in Google’s kvmCTF program, which offers up to $250,000 for full guest-to-host escapes.
financial
$250,000 program
Kim used it as a zero-day submission in Google’s kvmCTF program, which offers up to $250,000 for full guest-to-host escapes.
organisation
KVM
KVM maintains its own internal set of page tables to track a guest’s memory layout.
organisation
GCP
It can trigger the bug with guest-side actions alone to corrupt the host kernel’s shadow page, and it can threaten the guest-host isolation of KVM/x86 hosts that accept untrusted guests and expose nested virtualization, particularly multi-tenant x86 public clouds (GCP, AWS, etc.).”
states
Kim.
organisation
AWS
It can trigger the bug with guest-side actions alone to corrupt the host kernel’s shadow page, and it can threaten the guest-host isolation of KVM/x86 hosts that accept untrusted guests and expose nested virtualization, particularly multi-tenant x86 public clouds (GCP, AWS, etc.).”
states
Kim.
organisation
QEMU
“Unlike the commonly published QEMU escape vulnerabilities, Januscape occurs in in-kernel KVM, so it is triggered independently of QEMU’s emulation.
May 2026
Pierluigi Paganini disclosed a page-cache write vulnerability chain, Dirty Frag, which delivers reliable root on most Linux distributions and extends the same bug class as Dirty Pipe and Copy Fail.
Click on any entity below to view its context and source!
infrastructure
Linux
In May 2026, he disclosed
Dirty Frag
(CVE-2026-43284 and CVE-2026-43500), a page-cache write vulnerability chain that delivers reliable root on most major Linux distributions, extending the same vulnerability class as
Dirty Pipe
and
Copy Fail
.
vulnerability
CVE-2026-43284
In May 2026, he disclosed
Dirty Frag
(CVE-2026-43284 and CVE-2026-43500), a page-cache write vulnerability chain that delivers reliable root on most major Linux distributions, extending the same vulnerability class as
Dirty Pipe
and
Copy Fail
.
In May 2026, he disclosed
Dirty Frag
(
CVE-2026-43284 / CVE-2026-43500
), a page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail.
vulnerability
CVE-2026-43500
In May 2026, he disclosed
Dirty Frag
(CVE-2026-43284 and CVE-2026-43500), a page-cache write vulnerability chain that delivers reliable root on most major Linux distributions, extending the same vulnerability class as
Dirty Pipe
and
Copy Fail
.
In May 2026, he disclosed
Dirty Frag
(
CVE-2026-43284 / CVE-2026-43500
), a page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail.
organisation
CVE-2026
In May 2026, he disclosed
Dirty Frag
(CVE-2026-43284 and CVE-2026-43500), a page-cache write vulnerability chain that delivers reliable root on most major Linux distributions, extending the same vulnerability class as
Dirty Pipe
and
Copy Fail
.
general_metric
43500 Dirty Frag
In May 2026, he disclosed
Dirty Frag
(CVE-2026-43284 and CVE-2026-43500), a page-cache write vulnerability chain that delivers reliable root on most major Linux distributions, extending the same vulnerability class as
Dirty Pipe
and
Copy Fail
.
organisation
Dirty Pipe
In May 2026, he disclosed
Dirty Frag
(
CVE-2026-43284 / CVE-2026-43500
), a page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail.
organisation
Copy Fail
In May 2026, he disclosed
Dirty Frag
(
CVE-2026-43284 / CVE-2026-43500
), a page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail.
vulnerability
CVE-2026-46113
A separate KVM x86 shadow paging use-after-free (
CVE-2026-46113
) involving a related but distinct rmap mismatch was fixed in May 2026.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Januscape)
2026/06/16
Threat actors exploited a 16-year-old Linux KVM bug in Januscape to target cloud VMs on June 16, 2026.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-53359
“Januscape (CVE-2026-53359) covers the range from
2032a93d66fa (2010-08-01)
to
81ccda30b4e8 (2026-06-16)
.”
June 19, 2026
The incident affects Linux systems running kernel 2.6.36 and later versions, specifically those with KVM (Kernel Virtual Machine) enabled.
Click on any entity below to view its context and source!
infrastructure
2.6.36
Who Is Affected
The vulnerable code has been present since
commit 2032a93d66fa
in August 2010 (kernel 2.6.36 era) and was fixed by
commit 81ccda30b4e8
, merged into mainline on June 19, 2026.
July 4, 2026
Threat actors used a Linux KVM bug to target ARM64 hosts in the Januscape exploit.
Click on any entity below to view its context and source!
infrastructure
Linux
Januscape is Kim’s third significant Linux kernel exploit in roughly two months.
organisation
ITScape
ARM64 KVM hosts aren’t affected by Januscape specifically, though Kim’s earlier ITScape disclosure (CVE-2026-46316) covers a separate guest-to-host issue on that architecture.
organisation
NVD
NVD hasn’t assigned a CVSS score yet.
organisation
CVSS
NVD hasn’t assigned a CVSS score yet.
2026/07/07
Threat actors used a use-after-free vulnerability in Linux's KVM hypervisor to target cloud VMs on Intel and AMD x86 systems.
Click on any entity below to view its context and source!
infrastructure
Linux
Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks.
Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks
Januscape: A 16-year-old Linux KVM flaw lets cloud VM tenants crash hosts and potentially escape guests.
Security researcher
Hyunwoo Kim
has published details of a use-after-free vulnerability in Linux’s KVM hypervisor that allows code running inside a guest virtual machine to corrupt host kernel memory.
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems.
A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it.
A Busy Few Months for One Researcher
Januscape is Kim's third Linux kernel exploit disclosure in roughly two months.
organisation
Intel
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems.
It affects Intel and AMD systems.
organisation
AMD x86 Systems
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems.
organisation
AMD
Dubbed '
Januscape
' and tracked as
CVE-2026-53359
, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD.
It affects Intel and AMD systems.
organisation
KVM
Dubbed '
Januscape
' and tracked as
CVE-2026-53359
, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD.
organisation
ITScape
ARM64 hosts are not affected by Januscape; ITScape (CVE-2026-46316) is a separate KVM/arm64 issue.
financial
$250,000 program
According to Kim, the exploit was used as a zero-day submission in
Google's kvmCTF
, the controlled KVM vulnerability reward program that offers up to $250,000 for full guest-to-host escapes.
organisation
Google
According to Kim, the exploit was used as a zero-day submission in
Google's kvmCTF
, the controlled KVM vulnerability reward program that offers up to $250,000 for full guest-to-host escapes.
organisation
QEMU
The exploit needs no cooperation from QEMU or any userspace VMM.
organisation
VMM
The exploit needs no cooperation from QEMU or any userspace VMM.
organisation
NVD
NVD has not yet assigned a CVSS score; do not wait for one.
organisation
CVSS
NVD has not yet assigned a CVSS score; do not wait for one.
infrastructure
Android
Google launched kvmCTF in 2024 specifically because KVM underpins both Android and Google Cloud.
organisation
kvmCTF
Google launched kvmCTF in 2024 specifically because KVM underpins both Android and Google Cloud.
organisation
NPT
Even on hosts that run hardware EPT or NPT by default, nested virtualization forces KVM back through the legacy shadow MMU, which is where the bug sits.
organisation
MMU
Even on hosts that run hardware EPT or NPT by default, nested virtualization forces KVM back through the legacy shadow MMU, which is where the bug sits.
organisation
PoC
Januscape now adds the x86 side; the same trigger fires on both Intel and AMD, with the PoC carrying a separate code path for each vendor.
Tactical Metrics
Metrics
infrastructure
Linux
Affected Product
Click for context!
Kernel-based Virtual Machine (KVM) is a virtualization technology built directly into the Linux kernel that allows one physical computer to run multiple independent virtual machines (VMs).
Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks.
Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks
Januscape: A 16-year-old Linux KVM flaw lets cloud VM tenants crash hosts and potentially escape guests.
Security researcher
Hyunwoo Kim
has published details of a use-after-free vulnerability in Linux’s KVM hypervisor that allows code running inside a guest virtual machine to corrupt host kernel memory.
Once KVM’s internal records become incorrect, the Linux kernel may handle invalid data, causing crashes or potentially allowing an attacker to gain control.
Januscape is Kim’s third significant Linux kernel exploit in roughly two months.
In May 2026, he disclosed
Dirty Frag
(CVE-2026-43284 and CVE-2026-43500), a page-cache write vulnerability chain that delivers reliable root on most major Linux distributions, extending the same vulnerability class as
Dirty Pipe
and
Copy Fail
.
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems.
A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it.
A Busy Few Months for One Researcher
Januscape is Kim's third Linux kernel exploit disclosure in roughly two months.
Metrics
financial
250,000
Program
Kim used it as a zero-day submission in Google’s kvmCTF program, which offers up to $250,000 for full guest-to-host escapes.
According to Kim, the exploit was used as a zero-day submission in
Google's kvmCTF
, the controlled KVM vulnerability reward program that offers up to $250,000 for full guest-to-host escapes.
Metrics
infrastructure
2.6.36
Software Version
Who Is Affected
The vulnerable code has been present since
commit 2032a93d66fa
in August 2010 (kernel 2.6.36 era) and was fixed by
commit 81ccda30b4e8
, merged into mainline on June 19, 2026.
Metrics
infrastructure
Android
Affected Product
Google launched kvmCTF in 2024 specifically because KVM underpins both Android and Google Cloud.
Intelligence Sources
The Hacker News
2026-07-06
Security Affairs
2026-07-07
Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks
Security Affairs
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-07T10:31
Comprehensive Tactical Telemetry
Highly Correlated Entities
23x
organisation
Identified Entity
Kernel
entity
13x
timeline
Temporal Reference
July 4, 2026
date
5x
vulnerability
Exploited CVE
CVE-2026-53359
cve
2x
infrastructure
Affected Product
Linux
software
2x
tactic
Cyber Operation Type
Gain Control
tactic
Contextual Telemetry
Context Block
5 METRICS
industry
Targeted Sector
Technology
sector
general metric
Dirty Frag
43,500
dirty frag
financial
Program
250,000
program
tactic
MITRE ATT&CK Technique
T1611 - Escape to Host
technique
infrastructure
Software Version
2.6.36
version
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.