Google pays $250K for Linux KVM guest VM escape flaw

Original: Google pays $250K for Linux vulnerability allowing guest VM escapes

Why This Matters

Guest VM escape flaws directly threaten multi-tenant cloud infrastructure security at scale.

Google awarded $250,000 for CVE-2026-53359, a high-severity Linux KVM vulnerability dubbed 'Januscape' that allows guest VMs to escape and gain root access on host machines. A second Linux flaw, CVE-2026-43499 'GhostLock,' enables local privilege escalation to root.

Two high-severity Linux vulnerabilities surfaced this week. The first, CVE-2026-53359, nicknamed 'Januscape,' resides in KVM (Kernel-based Virtual Machine) and affects both AMD and Intel processors. Discovered by researcher Hyunwoo Kim, the flaw is a use-after-free vulnerability in the shadow MMU emulation layer that translates host and hypervisor memory addresses. It went undetected in the Linux kernel for 16 years. By exploiting guest-side actions alone, an attacker with root privileges inside a guest VM can crash the host kernel (DoS) or execute code with root privileges on the host (RCE), potentially compromising all tenant VMs on the same physical machine. A proof-of-concept crash exploit has been released; a full escape exploit exists but will not be published for the foreseeable future. The flaw is not tied to QEMU, meaning it can affect cloud environments using custom virtualization stacks. Google awarded $250,000 for the discovery.

The second flaw, CVE-2026-43499, dubbed 'GhostLock,' allows local privilege escalation to root and lurked in the OS for 15 years. Researchers at Nebula Security found it using Vega, an AI-assisted vulnerability scanner. The bug resides in the kernel's futex priority-inheritance system, specifically in a cleanup path triggered when a lock operation reaches a dead end.

Source

arstechnica.com — Read original →