
linux vulnerability Google has paid a $250,000 bounty for a Linux kernel vulnerability that can let an attacker escape from a guest virtual machine and potentially gain root access on the host. The flaw, tracked as CVE-2026-53359, is one of two high-severity Linux bugs to surface this week, both of which have now been patched in the kernel.
linux vulnerability
A 16-year-old KVM bug with cloud implications
The guest-VM escape flaw lives in KVM, the virtualization component built into the Linux kernel and widely used across Linux distributions. KVM is a core part of how many cloud platforms isolate one customer’s virtual machine from the host operating system and from other tenants on the same physical machine. According to the reporting researcher, Hyunwoo Kim, the vulnerability affects KVM on both AMD and Intel processors and went unnoticed in the Linux kernel for 16 years.
Kim said the issue allows “guest virtual machines” to break out of that isolation boundary using guest-side actions alone. In practical terms, that means an attacker who controls a single VM on a public cloud could potentially cause a denial of service by panicking the host kernel, or, in a worse-case scenario, execute code with root privileges on the host and take over both the host and other guests running on it.
How the flaw works
Kim named the vulnerability Januscape. It is described as a use-after-free bug, a class of memory corruption issue in which code continues to use memory after it has been freed and potentially reused for something else. In this case, the weakness is in KVM’s shadow MMU emulation, which helps translate memory addresses between the guest and the hypervisor.
The attack path reportedly targets the host kernel’s shadow page, a data structure used in address translation. Kim released a proof-of-concept exploit that runs inside the guest VM and triggers a crash on the host operating system. He said a full guest escape exploit exists, but that he does not plan to release it until “the very distant future.”
One important technical detail is that the flaw does not involve QEMU, the separate user-space process often associated with virtualization and memory translation. That means cloud environments using their own virtualization stacks are still exposed if they rely on the vulnerable KVM code. The guest VM user must have root privileges for the exploit to work.
Google’s bounty and the response from the researcher
Google awarded $250,000 for the report through its kernelCTF bug-bounty program. The large payout reflects both the seriousness of the bug and the complexity of finding a flaw that persisted for so long in a widely deployed part of the kernel.
Kim’s disclosure also underscores a broader reality for cloud infrastructure: security boundaries in virtualization depend not only on the hypervisor itself, but on the subtle correctness of guest-host interaction code buried deep in the kernel. When those assumptions fail, tenant isolation can fail with them.
Second flaw: GhostLock raises local privileges
The other Linux vulnerability to surface this week is CVE-2026-43499, a separate kernel bug that lets users with limited permissions escalate to root. Researchers from Nebula Security said they found it using Vega, the company’s AI-assisted vulnerability scanner. Google awarded them $92,337 through the same kernelCTF program.
Nebula named the flaw GhostLock. It has a severity rating of 7.8 out of 10 and had reportedly been present in the operating system for 15 years.
Where GhostLock lives
According to Matt Lucas, a researcher and founder of RedEye Security, the bug is in the kernel’s futex priority-inheritance machinery. Futexes are part of Linux’s locking and synchronization system, and the priority-inheritance logic helps prevent an important task from getting stuck behind a lower-priority one. The vulnerable path involves cleanup code that runs after a task stops waiting on a lock.
In one rare case, when a lock operation fails and backs out, the cleanup logic runs at the wrong moment and clears the wrong task’s record. That leaves the kernel holding a pointer to memory that has already been freed and reused. As Lucas put it, the problem is a classic use-after-free: the kernel trusts a stale pointer.
From there, Nebula reportedly chained additional steps to turn the dangling pointer into full root access, eventually tricking the kernel into running attacker-controlled code as root. The futex priority-inheritance code involved in the flaw dates to 2011, which helps explain why it could remain hidden in a heavily used subsystem for so long.
What Linux users should do now
- Check whether your Linux distribution has already shipped the kernel fixes.
- Apply updates promptly, especially on systems that host virtual machines or run public-facing cloud workloads.
- Confirm that patched kernel versions have actually been installed, not just made available in the package repository.
Because both issues are in the Linux kernel itself, the main remedy is to update to a version that includes the patches. For organizations that rely on Linux-based virtualization, the KVM issue is especially urgent because it threatens the boundary between guest workloads and the underlying host.
These two disclosures also show how much security research still hinges on the oldest parts of the kernel. One bug persisted in KVM for 16 years; the other hid in futex priority-inheritance code dating back to 2011. Both were severe enough to earn substantial bug-bounty awards and both demonstrate how long-lived infrastructure can still contain high-impact memory-safety mistakes.
Source: Original report
Was this helpful?
Last Modified: July 9, 2026 at 10:55 am
13 views

