// NEXUSVOID CYBER NEWS

<- ALL CYBER NEWS

High

KVM, hypervisor, VM escape, Januscape, CVE-2026-53359, cloud, virtualization

A 16-Year-Old Flaw Lets a Virtual Machine Break Out and Seize Its Host

A use-after-free flaw hidden in Linux's KVM hypervisor for 16 years, named Januscape (CVE-2026-53359), lets a guest VM corrupt the host kernel and escape to the machine underneath. In multi-tenant cloud, that breaks the core isolation promise.

Virtual machines are supposed to be sealed boxes. The whole model of cloud computing rests on the promise that one tenant's virtual machine cannot reach the host, or its neighbors. A newly disclosed flaw in Linux's KVM hypervisor, hiding in plain sight since 2010, puts a crack in that promise.

The bug, dubbed Januscape and tracked as CVE-2026-53359, is a use-after-free in the shadow-paging code that KVM shares across Intel and AMD x86 systems, found by researcher Hyunwoo Kim and reported by The Hacker News. Triggered from inside a guest virtual machine, it corrupts the memory state of the host kernel that runs it. The publicly released proof-of-concept uses that to crash the host, which in a shared environment is bad enough on its own: a single rented instance can take down every other tenant on the same physical machine. Kim says a separate, unreleased exploit turns the same bug into full code execution on the host, which would put every neighboring VM at the mercy of whoever holds it.

There are two catches worth stating plainly, because they shape the risk. The attack needs root inside the guest, which is normal on a rented cloud instance, and it needs nested virtualization enabled on the host. And what makes a sixteen-year-old bug unsettling is not that it is new, but that it never was. It sat in security-critical shared infrastructure the whole time, a reminder that age and scrutiny are not the same thing, and that the most consequential vulnerabilities often live in the foundations nobody thinks to re-examine.

Fixes shipped in early July across the stable kernel branches. If you run multi-tenant virtualization or a private cloud on KVM, patch the host kernels now, pay closest attention to hosts with nested virtualization exposed and guests you do not fully control, and remember that trust in your isolation boundary is only ever as good as the last time you actually tested it.

Sources: The Hacker News, with the flaw discovered by Hyunwoo Kim.

Liked this briefing? Share it:

More briefings

Related posts appear on the live page
Get the briefings first
Breaking security news, verified fast, with the one fact the headlines skip. No spam - unsubscribe anytime.