Critical Linux KVM bug lets hackers take over servers for 16 years
Virtual machines, managed by Linux KVM, can be abused by attackers to completely take over the host using a newly discovered vulnerability.

Image by Cybernews.
- A dormant KVM vulnerability allows attackers to escape virtual machines and compromise host servers.
- Linux maintainers have released a fix, so system operators should update their kernels to prevent exploitation.
- A proof-of-concept code was released, but the full escape exploit code is not currently public.
KVM, a critical Linux virtualization technology powering most of the cloud, contains a massive guest-to-host escape bug, which enables hackers to take over entire servers from a virtual machine.
Hyunwoo Kim, an independent vulnerability researcher, disclosed a critical vulnerability in Linux KVM that had remained dormant for 16 years. He gave it the nickname “Januscape.”
Hackers can exploit it and hijack servers with relative ease – they can escape from a simple virtual machine running on a multi-tenant cloud server, take control of the host machine, and with that, every other customer’s VMs running on it.
The researcher successfully disclosed the zero-day exploit to Google's KVMCTF bug bounty program, which offers up to $250,000.
“It is a KVM escape vulnerability that lets a guest escape to the host in a KVM/x86 environment. To the best of public knowledge, this is the first guest-to-host exploit research triggerable on both Intel and AMD, rather than being limited to a single architecture,” the researcher writes.
Kim demonstrated a proof-of-concept code that, when run in a guest virtual machine, triggers a host kernel panic.
However, the researcher said the full escape exploit code won’t be released anytime soon.
It “is planned to be released in the very distant future,” Kim assured.
The bug can also be exploited on some distributions to reliably elevate privileges to root.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
KVM is nearly everywhere – it’s a part of the Linux Kernel. It enables Linux to act as a hypervisor, running multiple, isolated virtual machines (VMs). Many hosting providers and large cloud giants use KVM to run customer instances.
Attackers can simply rent a VM in a public cloud and compromise the entire host “with guest-side actions alone.” The only prerequisite is that the attacker has root privileges on the VM instance, which is often the case for tenants, or uses another vulnerability to elevate privileges.
Linux kernel maintainers fixed the bug upstream and backported it to the supported stable kernel branches. The researcher published a report on GitHub after the agreed embargo ended.
Kim also urges x86 KVM host operators to check whether they’re using a kernel with the patch applied. The bug doesn’t rely on Qemu, and many proprietary virtualization stacks can be affected.
The bug has been designated CVE-2026-53359. Its severity score hasn’t been assessed yet, but given its characteristics, it’s likely to be at the critical end of the scale.
Check if your data has been leaked
How does the bug work?
The use-after-free vulnerability lies in KVM/x86's shadow MMU emulation, a part of the virtualization system that helps the host to track where the virtual machine’s memory is connected to the actual physical RAM.
The issue can be triggered when a guest VM runs another VM itself, a feature known as nested virtualization. In this situation, the host has to manage an additional layer of memory translation. For this, KVM creates and maintains its own copy of the nested VM’s memory mappings.
However, potential attackers can tamper with the mappings.
Hackers inside the VM can create specially crafted memory tables that confuse KVM by making the same memory page briefly appear to have two different roles. This breaks KVM’s internal memory tracking and creates a race condition, which can lead to memory corruption.
Usually, this would cause the host to crash – in the proof-of-concept, the kernel detects an error and crashes (a kernel panic). But a more advanced exploit could give the attacker control over which code runs on the host.
“Turning this vulnerability into a full escape is difficult work, because the primitive is tricky,” the researcher said in the write-up.
However, the patch itself is simple – it fixes the memory-tracking logic so it reuses internal memory mapping only when the location and intended purpose match.