A long-standing flaw in Linux KVM/x86 shadow paging, tracked as CVE-2026-53359 and dubbed Januscape, can let a guest corrupt host kernel memory and potentially escape isolation. The bug is a use-after-free in KVM shadow MMU emulation caused by incomplete cleanup logic that left stale references to freed page-table tracking structures; reporting indicates earlier validation checked only the guest frame number and not the page role. The issue affects both Intel and AMD hosts, has reportedly existed since Linux kernel 2.6.36, and was disclosed as a vulnerability that can be triggered solely through guest-side actions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
AlmaLinux announced patched kernel builds in its testing repository for Januscape (CVE-2026-53359), saying it backported fixes for affected AlmaLinux 8, 9, and 10 branches. The vendor said it released the testing builds ahead of CentOS Stream/RHEL updates because of the vulnerability's severity.
A later report said the vulnerability was fixed in the July 2026 stable kernel updates. The write-up described the bug as long-lived, dating back to Linux kernel 2.6.36, and urged KVM hosts to apply vendor kernel updates.
The oss-sec disclosure stated that CVE-2026-53359 had been patched in mainline Linux. The flaw affects KVM/x86 on both Intel and AMD hosts and can enable guest-to-host escape or local privilege escalation in some configurations.
Hyunwoo Kim disclosed Januscape (CVE-2026-53359), a guest-to-host escape vulnerability in KVM/x86 caused by a use-after-free in shadow MMU emulation. The disclosure said the issue had been reported to the Linux kernel security team, noted successful 0-day use in Google kvmCTF, and included a denial-of-service proof of concept plus technical details.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
12 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcesecurityweek.com
Open sourcecybersecuritynews.com
Open sourcesecurityaffairs.com
Open sourcedarkwebinformer.com
Open sourcegit.kernel.org
Open sourceseclists.org
Open sourcethecybersecguru.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.