PT-2026-55697 · Linux · Linux Kernel

Hyunwoo Kim

+1

·

Published

2026-07-04

·

Updated

2026-07-07

·

CVE-2026-53359

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions Linux KVM versions prior to 7.1.3 Linux KVM versions prior to 6.12.95 Linux KVM versions prior to 6.6.144 Linux KVM versions prior to 6.18.38 Linux KVM versions prior to 6.1.177
Description Januscape is a use-after-free issue in the KVM shadow MMU (Memory Management Unit) affecting both Intel and AMD x86 architectures. The issue occurs because the kvm mmu get child sp() function reuses a page when the guest frame number (GFN) matches, but fails to compare the role of the page. This allows a mismatch where a page created for a large 2MB page (direct=1) is reused for a 4KB page (direct=0). When the child is zapped, the kvm mmu page get gfn() function computes the GFN incorrectly, failing to remove the recorded rmap entry. Consequently, when the memslot is dropped, the shadow page is freed while the rmap entry survives. Subsequent operations, such as dirty logging or MMU notifier invalidation, dereference a pointer in the freed page, leading to a use-after-free. This can be triggered by a rooted guest with nested virtualization enabled, potentially allowing a guest-to-host escape, host kernel panic, or remote code execution on the host. The flaw has been present since August 2010 and has been used as a 0-day exploit in the Google kvmCTF.
Recommendations Update to Linux KVM versions 7.1.3, 6.12.95, 6.6.144, 6.18.38, or 6.1.177. As a temporary mitigation, disable nested virtualization by setting kvm intel.nested=0.
Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-53359

Affected Products

Linux Kernel