Cloud Security

Linux bug dormant for 16 years can cause a VM escape

Holographic visualization of a multi-cloud environment showcasing hybrid cloud solutions

A recently disclosed Linux kernel bug known as Januscape that was dormant for 16 years can let attackers execute a virtual machine (VM) escape in which the attacker breaks out of an isolated guest VM and can take over a hypervisor.

Security researcher Hyunwoo Kim demonstrated the vulnerability as a zero-day exploit by triggering a “use-after-free” error in the shadow MMU code of the Linux KVM hypervisor.

Security pros were concerned about this case because a VM escape shatters the fundamental security model of virtualization: it can let attackers steal data, manipulate the host, or compromise other VMs running on the same server. It’s also important to note that the bug can be executed on both Intel and AMD architectures.

 “A VM escape allows an attacker to break out of a guest environment and compromise the host system,” said Jason Soroko, a senior fellow at Sectigo. “This threatens multi-tenant cloud architectures because a single compromised instance can grant root privileges over the server. Attackers can then crash the host kernel to cause a Denial-of-Service or execute code to gain control over every virtual machine running on that hardware.”

Robert Coles, senior cybersecurity engineer at Black Duck, said VM escapes get so much attention because they break one of the core assumptions virtualization is built on: containment.

Coles explained in most cases, if an attacker compromises a VM, the damage stops there, but a VM escape changes that.

“Once an attacker reaches the hypervisor, they're no longer attacking a single workload — they potentially have access to the infrastructure supporting multiple workloads,” said Coles. “That's why hypervisor compromises are considered some of the highest-impact vulnerabilities in cloud environments.”

Coles pointed out that a patch is now available. Any organization running KVM should identify affected hosts, apply the updates, and review any environments exposing nested virtualization, particularly in multi-tenant deployments where the risk is greatest.

Jacob Krell, senior director for secure AI solutions and Cybersecurity at Suzu Labs, said the bug Kim found now tracked as CVE-2026-53359 sat in the Linux code since 2010. Krell said most standard deployments rely on hardware-assisted paging and skip this code entirely, but nested virtualization, running one VM inside another, forces execution back through the older shadow MMU path. Because the feature is optional, Krell said this code went 16 years with minimal review.

“A $250,000 bounty motivated one researcher,” said Krell. “AI-assisted code analysis is on track to do the same work across every neglected subsystem simultaneously. Legacy codebases carry decades of debt in paths that production traffic never touches, and the tooling to scan them just got cheaper by an order of magnitude. The trajectory points toward more 10- and 15-year-old bugs surfacing over the next 12 to 18 months as automated analysis reaches code that human reviewers haven't touched since it was written.”

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds