Google Pays $250K for Linux Vulnerability Allowing Virtual Machine Escape
A high-severity vulnerability in the Linux kernel's KVM subsystem, hidden for 16 years, allows malicious guest VMs to break out and take over host machines. Google awarded the researcher $250,000.

Google has paid a $250,000 bounty to a researcher for a high-severity Linux vulnerability that allows untrusted virtual machines to gain root access to host machines. The flaw, tracked as CVE-2026-53359, resides in KVM (Kernel-based Virtual Machine), a virtual machine module embedded in the kernel of many Linux distributions.
Dubbed Januscape by researcher Hyunwoo Kim, the vulnerability affects KVM running on both AMD and Intel processors. It exploits bugs in the KVM guest-side—the portion of a VM consisting only of resources like the OS or drivers within the guest, not host resources. The threat remained undetected in the Linux kernel for 16 years.
“With guest-side actions alone, an attacker can compromise the host that runs their VM,” Kim wrote. “For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE).”
The vulnerability is a use-after-free flaw, a memory corruption vulnerability that injects malicious code into recently freed memory regions. It lies in the shadow MMU emulation process, which translates host memory addresses to hypervisor memory addresses and vice versa. Exploits trigger guest-side actions alone to corrupt the host kernel’s shadow page, a data structure assisting address translation.
Kim has released a proof-of-concept exploit running in the guest VM to crash the host OS. He confirmed a full guest-escape exploit exists but will not be released until “the very distant future.”


