THE article discusses a critical vulnerability named Januscape (CVE-2026-53359) in the Linux KVM hypervisor, which has existed for 16 years and affects both Intel and AMD systems. This use-after-free vulnerability enables attackers within a guest VM to corrupt the host kernel's memory, risking guest-host isolation in public cloud environments. Security researcher Hyunwoo Kim disclosed the issue, which he successfully exploited as a zero-day in Google’s kvmCTF program.
The bug's exploitation requires root access within the guest VM and exposed nested virtualization. A one-line fix was issued on July 4, 2026, and it is imperative for users running x86 KVM hosts with multi-tenant guests to ensure they apply this patch to avoid potential attacks.