CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)
Vulnerability ID: CVE-2026-53359
CVSS Score: 8.8
Published: 2026-07-04
Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.
TL;DR
A 16-year-old logic flaw in KVM's Shadow MMU allows a virtual machine guest administrator to bypass hypervisor isolation, causing a guest-to-host escape, local privilege escalation, or host denial of service.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-416 (Use-After-Free)
- Attack Vector: Local / Guest VM Control
- CVSS v3.1 Score: 8.8
- EPSS Score: 0.00176
- Impact: Guest-to-Host Escape / Local Privilege Escalation
- Exploit Status: Proof-of-Concept / Weaponized (kvmCTF)
- CISA KEV Status: Not Listed
Affected Systems
- Linux Kernel (KVM Subsystem)
-
Linux Kernel: >= 2.6.36, < 6.1.177 (Fixed in:
6.1.177) -
Linux Kernel: >= 6.2, < 6.6.144 (Fixed in:
6.6.144) -
Linux Kernel: >= 6.7, < 6.12.95 (Fixed in:
6.12.95) -
Linux Kernel: >= 6.13, < 6.18.38 (Fixed in:
6.18.38) -
Linux Kernel: >= 6.19, < 7.1.3 (Fixed in:
7.1.3)
Code Analysis
Commit: 81ccda3
KVM: x86/mmu: Compare role inside kvm_mmu_get_child_sp to prevent UAF
Commit: 1ae7d5a
KVM: x86/mmu: Fix shadow page reuse role mismatch (6.1.y backport)
Commit: 2ad3afa
KVM: x86/mmu: Fix shadow page reuse role mismatch (6.6.y backport)
Exploit Details
- OSS-Security Mailing List: Proof of Concept for kernel Denial of Service triggering the UAF in pte_list_remove.
- GitHub: Community-hosted repository replicating the Januscape PoC exploit structure.
Mitigation Strategies
- Upgrade to patched Linux kernel versions.
- Disable nested virtualization in KVM configuration.
- Restrict access permissions to /dev/kvm.
Remediation Steps:
- Verify the current running kernel version using 'uname -r'.
- Apply system updates via your package manager to acquire a patched kernel version.
- Configure /etc/modprobe.d/kvm_nested.conf with nested=0 to disable nesting.
- Verify permission constraints on /dev/kvm using 'ls -l /dev/kvm'.
References
- NVD CVE-2026-53359 Detail
- CVE.org CVE-2026-53359 Record
- Mainline Security Patch Commit
- OSS-Security Mailing List Advisory
- Januscape Official Website
- Community Exploit Repository
- Hotfix Repository
- Kernel Fix Repository
Read the full report for CVE-2026-53359 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)