DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-53359: CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)

CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)

Vulnerability ID: CVE-2026-53359
CVSS Score: 8.8
Published: 2026-07-04

Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.

TL;DR

A 16-year-old logic flaw in KVM's Shadow MMU allows a virtual machine guest administrator to bypass hypervisor isolation, causing a guest-to-host escape, local privilege escalation, or host denial of service.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-416 (Use-After-Free)
  • Attack Vector: Local / Guest VM Control
  • CVSS v3.1 Score: 8.8
  • EPSS Score: 0.00176
  • Impact: Guest-to-Host Escape / Local Privilege Escalation
  • Exploit Status: Proof-of-Concept / Weaponized (kvmCTF)
  • CISA KEV Status: Not Listed

Affected Systems

  • Linux Kernel (KVM Subsystem)
  • Linux Kernel: >= 2.6.36, < 6.1.177 (Fixed in: 6.1.177)
  • Linux Kernel: >= 6.2, < 6.6.144 (Fixed in: 6.6.144)
  • Linux Kernel: >= 6.7, < 6.12.95 (Fixed in: 6.12.95)
  • Linux Kernel: >= 6.13, < 6.18.38 (Fixed in: 6.18.38)
  • Linux Kernel: >= 6.19, < 7.1.3 (Fixed in: 7.1.3)

Code Analysis

Commit: 81ccda3

KVM: x86/mmu: Compare role inside kvm_mmu_get_child_sp to prevent UAF

Commit: 1ae7d5a

KVM: x86/mmu: Fix shadow page reuse role mismatch (6.1.y backport)

Commit: 2ad3afa

KVM: x86/mmu: Fix shadow page reuse role mismatch (6.6.y backport)

Exploit Details

  • OSS-Security Mailing List: Proof of Concept for kernel Denial of Service triggering the UAF in pte_list_remove.
  • GitHub: Community-hosted repository replicating the Januscape PoC exploit structure.

Mitigation Strategies

  • Upgrade to patched Linux kernel versions.
  • Disable nested virtualization in KVM configuration.
  • Restrict access permissions to /dev/kvm.

Remediation Steps:

  1. Verify the current running kernel version using 'uname -r'.
  2. Apply system updates via your package manager to acquire a patched kernel version.
  3. Configure /etc/modprobe.d/kvm_nested.conf with nested=0 to disable nesting.
  4. Verify permission constraints on /dev/kvm using 'ls -l /dev/kvm'.

References


Read the full report for CVE-2026-53359 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)