CVE Tools
Back to feed
Ars Technica (Security) ·EN Restricted ResearchKVM

Google pays $250K for Linux vulnerability allowing guest VM escapes

By Dan Goodin··2 min read
CVE Tools coverage

A critical vulnerability in the KVM virtualization component of Linux, identified as CVE-2026-53359, enables untrusted guest virtual machines to achieve root-level access on the host system. This flaw, dubbed Januscape, resides within the shadow MMU emulation and could allow attackers to disrupt or take control of cloud environments. Discovered after remaining undetected for 16 years, it impacts both AMD and Intel-based systems using KVM. Researchers have demonstrated a proof-of-concept exploit that crashes the host OS from within a guest VM.