PT-2026-55697 · Linux · Linux Kernel
Hyunwoo Kim
+1
·
Published
2026-07-04
·
Updated
2026-07-07
·
CVE-2026-53359
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
Linux KVM versions prior to 7.1.3
Linux KVM versions prior to 6.12.95
Linux KVM versions prior to 6.6.144
Linux KVM versions prior to 6.18.38
Linux KVM versions prior to 6.1.177
Description
Januscape is a use-after-free issue in the KVM shadow MMU (Memory Management Unit) affecting both Intel and AMD x86 architectures. The issue occurs because the
kvm mmu get child sp() function reuses a page when the guest frame number (GFN) matches, but fails to compare the role of the page. This allows a mismatch where a page created for a large 2MB page (direct=1) is reused for a 4KB page (direct=0). When the child is zapped, the kvm mmu page get gfn() function computes the GFN incorrectly, failing to remove the recorded rmap entry. Consequently, when the memslot is dropped, the shadow page is freed while the rmap entry survives. Subsequent operations, such as dirty logging or MMU notifier invalidation, dereference a pointer in the freed page, leading to a use-after-free. This can be triggered by a rooted guest with nested virtualization enabled, potentially allowing a guest-to-host escape, host kernel panic, or remote code execution on the host. The flaw has been present since August 2010 and has been used as a 0-day exploit in the Google kvmCTF.Recommendations
Update to Linux KVM versions 7.1.3, 6.12.95, 6.6.144, 6.18.38, or 6.1.177.
As a temporary mitigation, disable nested virtualization by setting
kvm intel.nested=0. Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux Kernel