Google pays $250K for Linux vulnerability allowing guest VM escapes
Key Points:
- A critical Linux vulnerability (CVE-2026-53359), named Januscape, affects the KVM virtual machine component and allows guest VMs with root privileges to gain root access on the host, potentially compromising all tenants on the physical machine.
- Januscape exploits a 16-year-old use-after-free bug in the shadow MMU emulation, enabling attackers to corrupt the host kernel’s shadow page and execute code remotely; a proof-of-concept exploit has been released, though a full escape exploit is withheld.
- A separate high-severity flaw, GhostLock (CVE-2026-43499), discovered in the kernel’s futex priority-inheritance system, allows limited users to escalate to root via a use-after-free vulnerability in cleanup operations, with a severity rating of 7.8/10.
- Both vulnerabilities have been patched in the Linux kernel, and users are advised to update their distributions promptly; Google awarded $250,000 for Januscape and $92,337 for GhostLock through its kernelCTF bug bounty program.