A 16-year-old Linux kernel bug just got a name: Januscape. It’s bad.
Tracked as CVE-2026-53359, this is a use-after-free vulnerability in KVM/x86’s shadow MMU emulation. Translation: an attacker with root access inside a virtual machine can escape to the host. Once they’re on the host, they can run code as root, take over every other VM running on that machine, or crash the host kernel entirely — knocking every tenant offline.
Security researcher Hyunwoo Kim discovered the flaw. It’s particularly nasty because it works on both Intel and AMD architectures, which makes it the first cross-platform guest-to-host escape exploit. Most VM escapes are limited to one processor family. This one isn’t.
That’s a serious problem for multi-tenant public clouds — Google Cloud, AWS, anyone running shared infrastructure. “With guest-side actions alone, an attacker can compromise the host that runs their VM,” Kim notes.
On some Linux distributions where /dev/kvm is world-writable, unprivileged attackers can also use this bug to gain root access directly on unpatched devices.
The fix was committed to the Linux kernel in June 2026 (patch commit 81ccda30b4e8). If you’re running KVM/x86 hosts that accept multi-tenant guests, verify that patch is applied. Kim’s proof-of-concept exploit can trigger a host kernel panic — he says a full escape exploit won’t be released for now, but the write-up is public.
