A Linux vulnerability that allows untrusted virtual machines to gain root access to host machines is one of two high-severity flaws to surface this week in the open source operating system.
The vulnerability resides in KVM, which is, in essence, a virtual machine app included in the kernel of many Linux distributions. The vulnerability, tracked as CVE-2026-53359, allows guest virtual machines—such as those used in cloud platforms to isolate one user’s instance from the host OS and other user instances—to break out of that container.
Januscape: A threat to cloud platforms
The vulnerability affects KVM running on both AMD and Intel processors. It exploits bugs residing in the KVM guest-side, the portion of the VM that consists of only resources like the OS or drivers present in the guest VM, rather than resources present on the host machine. The threat went unnoticed in the Linux kernel for 16 years.
“With guest-side actions alone, an attacker can compromise the host that runs their VM,” Hyunwoo Kim, the researcher who discovered the flaw, wrote. “For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE).”
Kim has named the vulnerability Januscape. The flaw is a use-after-free vulnerability—a form of memory corruption vulnerability that injects malicious code into recently freed regions of memory. The vulnerability resides in the shadow MMU emulation, a process that translates host memory addresses to hypervisor memory addresses and vice versa.
Exploits will trigger guest-side actions alone to corrupt the host kernel’s shadow page, a data structure in the host that assists in the address translation. Kim has released a proof-of-concept exploit that runs in the guest VM to trigger a crash on the host OS. He said an exploit that fully escapes the guest also exists but won’t be released until “the very distant future.”
The vulnerability doesn’t occur in the QEMU, a separate process related to memory translation. That distinction means exploits can work even in cloud environments that implement and use their own virtualization stack. For exploits to work, the guest-VM user must have root privileges.
Google has awarded $250,000 for the reporting of the vulnerability.
Enter GhostLock
A separate vulnerability in Linux allows users with limited rights to escalate to root. Tracked as CVE-2026-43499, it lurked in the OS for 15 years. Researchers from Nebula Security said they discovered it using Vega, Nebula’s AI-assisted vulnerability scanner. Matt Lucas, a researcher and founder of RedEye Security, explained:
The flaw lives in the kernel’s futex priority-inheritance machinery, the system that keeps an urgent task from getting stuck behind a trivial one. Part of that system is a cleanup step that tidies up after a task stops waiting. In one rare path, where a lock operation hits a dead end and has to back out, the cleanup runs at the wrong moment and wipes the wrong task’s record. The kernel is left holding a pointer to memory it has already freed and reused. Trusting that stale pointer is the entire bug: a classic use-after-free.
From there Nebula chained a handful of steps to escalate the dangling pointer into full control, ending by tricking the kernel into executing their code as root. The futex priority-inheritance code they exploited dates to 2011, old, heavily used machinery that few had reread in years.
The vulnerability, which Nebula has named GhostLock, has a severity rating of 7.8 out of 10. Google awarded the researchers $92,337. Like the $250,000 bounty paid for Januscript, it was awarded through Google’s kernelCTF bug-bounty program.
Both flaws have received patches in the Linux kernel. Linux users should check their distribution to make sure the fixes have populated to their particular version.







