16-Year-Old KVM Flaw “Januscape” Exposes Intel, AMD Cloud Hosts to Guest Attacks
A newly disclosed vulnerability, dubbed Januscape (CVE-2026-53359), has exposed a 16-year-old use-after-free flaw in Linux KVM’s shadow MMU, allowing a malicious guest to corrupt host kernel memory via guest-side actions alone.
The bug affects the shadow MMU code shared by both Intel VMX and AMD SVM implementations of x86 KVM, marking the first publicly known guest-to-host exploit that works across both architectures.
The flaw lives in kvm_mmu_get_child_sp(), the function KVM uses to fetch or reuse shadow pages while shadowing guest page tables.
The vulnerable reuse check compared only the guest frame number (gfn) of an existing shadow page, ignoring its role, whether it was an indirect page shadowing a guest page table or a direct split page carved from a large page.
16-Year-Old KVM Flaw
When nested virtualization is active, the host (L0) must shadow L1’s nested EPT/NPT in software, since hardware two-stage paging supports only one level. In this path, KVM’s fetch routine can request a direct split page and an indirect page for the same gfn.
Because the pre-patch code checked gfn alone, it could reuse a page with the wrong role, corrupting the rmap (reverse-map) KVM relies on to track shadow page table entries.
This role confusion breaks lifetime tracking, producing orphaned parent pointers into freed shadow pages, with two possible outcomes:
- Use-after-free write: clearing an orphaned pointer writes a fixed constant (
SHADOW_NONPRESENT_VALUE) into whatever kernel object now occupies that freed memory. - Denial-of-service (the public PoC’s path): a gfn mismatch between the rmap’s expected key and the actual lookup key trips KVM’s own
KVM_BUG_ON_DATA_CORRUPTIONcheck, causing an immediate kernel panic underCONFIG_BUG_ON_DATA_CORRUPTION, enabled by default on distributions like RHEL.
Januscape was actively exploited as a zero-day in Google’s kvmCTF competition before disclosure, underscoring real-world exploitability against multi-tenant cloud platforms like GCP and AWS that expose nested virtualization to untrusted guests.
The published PoC runs as a kernel module inside a guest (L1), which builds its own nested guest (L2) using raw VMX or SVM instructions.
It engineers a memory layout where a single physical page serves simultaneously as a large-page leaf and a page-table page, then races two vCPU threads: one toggles a page directory entry between “huge” and “table” states while the other repeatedly faults in L2 to hit the narrow non-atomic window during host emulation of that toggle. Winning the race triggers the role-confused reuse, ultimately panicking L0.
Because the vulnerable code sits in the architecture-shared arch/x86/kvm/mmu/mmu.c, the same logic drives both Intel and AMD backends via a small abstraction layer that swaps page-table bit encodings.
V4bel notes that a full privilege-escalation chain into host code execution reportedly exists but hasn’t been released, given the difficulty of aligning the fixed corruption write with an exploitable kernel object.
Researchers reported Januscape to security@kernel.org on June 12, 2026. KVM maintainers Paolo Bonzini and Sean Christopherson developed a patch, merged into mainline as commit 81ccda30b4e8 on June 19. CVE-2026-53359 was assigned July 4, and the embargo was lifted July 6.
The fix adds a role.word comparison alongside the gfn check in kvm_mmu_get_child_sp(), ensuring shadow pages are only reused when both gfn and role match, closing the role-confusion window entirely. Organizations running nested virtualization workloads on shared infrastructure should prioritize patching immediately.
No Comment! Be the first one.