// Google CloudCRITICAL
Januscape (CVE-2026-53359), a 16-year-old use-after-free vulnerability in KVM's shadow MMU, enables guest-to-host escape on systems with nested virtualization enabled. Discovered by researcher Hyunwoo Kim via Google's kvmCTF bug bounty program, the flaw allows root access on the host machine. The vulnerability affects both Intel and AMD processors and has been present since kernel 2.6.36 (August 2010). Patches are available; organizations should update immediately or disable nested virtualization if patching is delayed.
- Januscape - The KVM vulnerability that slept for 16 years in the(opens in a new tab)
- CVE-2026-53359: Januscape Linux KVM Flaw Enables VM Escape(opens in a new tab)
// Get alerts for Google Cloud