16-year-old KVM flaw allows attackers to escape VMs and take over Linux servers

A critical vulnerability in the Kernel-based Virtual Machine (KVM) module of the Linux kernel allows attackers with root access in a guest VM to execute arbitrary code on the host system. This violates the most important security boundary that cloud providers and enterprises rely on to isolate sensitive processes on servers.

The vulnerability, tracked as CVE-2026-53359, stems from a use-after-free memory bug in the shadow MMU emulation of KVM on x86 CPU architecture. According to Hyunwoo Kim, the researcher who discovered it, the flaw has been present in the Linux kernel code for the past 16 years and is the first KVM guest-to-host escape vulnerability that works on both Intel and AMD CPUs.

Hyunwoo dubbed the flaw Januscape and reported it through Google’s kvmCTF, a vulnerability reward program that pays up to $250,000 for a full VM escape demonstrated in KVM, which Google uses in Google Cloud as well as Android infrastructure.

“With guest-side actions alone, an attacker can compromise the host that runs their VM,” the research wrote in an advisory on GitHub. “For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE).”

On some Linux distributions, including Red Hat Enterprise Linux (RHEL), the vulnerability can also be exploited for local privilege escalation inside the guest VM because the /dev/kvm device is world-writable (0666).

The Januscape flaw was patched by the Linux kernel maintainers on June 16, but users should check for updates from their respective distribution maintainers. Because Linux has a large ecosystem of variants and support channels, it could take a while for the patches to trickle down to all existing flavors.

VM escape proof of concept

Hyunwoo released a proof-of-concept that demonstrates the kernel panic and denial-of-service condition, but he has held back on releasing the full VM escape exploit for now. Even though he said in his detailed write-up that achieving a full escape is difficult because the primitive is tricky, it doesn’t mean other researchers or malicious attackers wouldn’t be able to develop a working exploit.

Januscape only works on servers with Intel and AMD CPUs, but Hyunwoo also disclosed a different KVM guest-to-host escape vulnerability dubbed ITScape (CVE-2026-46316) last month that works on ARM64 architecture. The researcher, who uses the moniker V4bel online, is also the person who developed the Dirty Frag Linux privilege escalation exploit earlier this year by combining the Dirty Pipe (CVE-2022-0847) and Copy Fail (CVE-2026-31431) kernel page-cache corruption techniques.

VM escape exploits are among the most dangerous attacks to enterprise environments, which often use virtualization to isolate legacy applications and services that are no longer supported by their developers or whose compromise could pose a big risk to the entire infrastructure.

Attackers have exploited VM escape vulnerabilities in the wild before, particularly targeting the VMware ESXi hypervisor, and there are even APT groups that specialize in targeting virtualized environments.