
A newly disclosed Linux kernel bug shows the wall separating a cloud tenant's virtual machine from the physical server underneath it isn't as solid as providers assume. Tracked as CVE-2026-53359 and nicknamed Januscape, the flaw lives inside KVM, the hypervisor built into Linux that powers large swaths of public cloud infrastructure, including at providers like Google Cloud and AWS.
What sets Januscape apart isn't just that it lets a guest crash its host — plenty of virtualization bugs do that. The flaw sits in code shared by both Intel and AMD processors, making it, to the researchers' knowledge, the first publicly documented guest-to-host exploit that works across both chip architectures with only minor platform-specific tweaks. It was serious enough to already be used as a zero-day in Google's kvmCTF, a bounty program that rewards researchers who break out of a KVM guest.
The root cause traces to a function called kvm_mmu_get_child_sp(), part of KVM's "shadow MMU," which manages memory translation when a guest runs its own nested virtual machine (a VM inside a VM), a setup common on cloud platforms.

The function decided whether to reuse an existing page-table entry by checking only the page-table entry's memory address (gfn, or guest frame number), not its type. By repeatedly toggling a page table entry between two entry types while triggering nested-guest page faults, an attacker can win a race condition and trick the kernel into reusing the wrong entry, corrupting its internal bookkeeping.
That corruption becomes a use-after-free: the kernel later writes a fixed value into memory it no longer owns. In the mildest case, this trips an internal integrity check and panics the host outright — a denial-of-service that can take down a physical server and every tenant on it.
A full guest-to-root code execution exploit is also achievable, the researchers say, though that portion of the work remains unreleased. KVM maintainers Paolo Bonzini and Sean Christopherson helped land a fix within days of the report.
Januscape affects any host that exposes nested virtualization to guests, a feature many clouds enable by default. It was reported to the kernel security team in mid-June, patched in mainline Linux via commit 81ccda30b4e8, and publicly disclosed this month following a five-day embargo with the linux-distros mailing list. Administrators running KVM with nested virtualization enabled should apply the patch immediately or disable nested virtualization for untrusted tenants until they can.