Google has paid a $250,000 bug bounty for a Linux kernel flaw that could let a hostile virtual machine attack the physical host running it, a failure mode cloud providers spend a lot of money pretending cannot happen.
The vulnerability, tracked as CVE-2026-53359 and named Januscape by researcher Hyunwoo Kim, affects KVM, the kernel-based virtual machine technology shipped with many Linux distributions. Kim said the bug can be triggered from inside a guest VM and can allow denial of service against the host or, with a stronger exploit, code execution as root on that host.
That matters because KVM is widely used to separate tenants on shared infrastructure. A rented VM on a public cloud is supposed to be boxed in from the host operating system and from other customers’ instances. Kim said Januscape breaks that boundary using actions performed only from the guest side, although the attacker needs root privileges inside the guest VM.
How Januscape works
Kim described Januscape as a use-after-free bug in KVM’s shadow MMU emulation. In plain English, KVM keeps data structures that help translate memory addresses used by a guest into the address space managed by the host and hypervisor. The vulnerable path can leave the host kernel using memory after it has been freed, which creates an opening for corruption.
The specific target is the host kernel’s shadow page data, which supports that address translation. Kim released proof-of-concept code that runs inside a guest VM and crashes the host. He also said a complete guest escape exploit exists, but he does not plan to publish it until much later.
The bug affects KVM on both AMD and Intel processors, according to Kim’s write-up. It had been present in the Linux kernel for 16 years before discovery.
One operational detail is especially unpleasant for defenders: Kim said the issue is in KVM itself, not in QEMU, the separate user-space component often involved in virtualization. That means replacing or customizing the surrounding virtualization stack does not by itself remove the KVM bug if the vulnerable kernel code is still in use.
GhostLock targets futex code
A second Linux kernel vulnerability disclosed in the same batch gives a lower-privileged user a route to root. That flaw, CVE-2026-43499, has been named GhostLock by Nebula Security, whose researchers said they found it with Vega, the company’s AI-assisted vulnerability scanner.
GhostLock sits in the kernel’s futex priority-inheritance code, according to explanations from Nebula Security and Matt Lucas, founder of RedEye Security. That code helps manage lock ordering so a higher-priority task is not stuck behind a lower-priority one. Lucas said a rare cleanup path can clear the wrong task record, leaving the kernel with a stale pointer to freed memory.
Nebula’s researchers chained that use-after-free condition into a root escalation, according to Lucas. The affected futex code dates back to 2011, meaning the bug lasted about 15 years. GhostLock carries a severity score of 7.8 out of 10.
Google awarded $92,337 for the GhostLock report through its kernelCTF bug bounty program, the same program that paid the $250,000 Januscape reward.
Both vulnerabilities have been patched in the Linux kernel. Users and administrators still need to check their own distributions, because kernel fixes only help after the distro maintainers ship them and the machines actually boot into the updated kernel.
This story draws on original reporting from Ars Technica.