Januscape Linux flaw
This message is intended for U-M IT staff who are responsible for Linux systems.
Summary
A 16-year-old Linux kernel vulnerability (CVE-2026-53359), dubbed Januscape, allows attackers to escape a virtual machine (VM) and execute arbitrary code on the host.
Problem
Successful exploitation allows attackers with root access inside a guest virtual machine (the default configuration on public cloud instances) to execute code as root on the host and take over all guests running on it or crash the host kernel (knocking every other tenant's virtual machine on the same server offline).
The attack requires two things from the guest side: root inside the VM, a common condition on rented cloud instances, and nested virtualization exposed by the host. Even on hosts that run hardware EPT or NPT by default, nested virtualization forces the kernel-based virtual machine (KVM) back through the legacy shadow MMU, which is where the bug sits.
Threats
Treat exposed x86 KVM hosts with nested virtualization as high-priority patch targets.
Affected Systems
Any x86 KVM environment that hosts untrusted guests with nested virtualization enabled.
Action Items
If you operate an x86 KVM host that accepts multi-tenant guests with nested virtualization, confirm that your kernel includes commit 81ccda30b4e8. Distribution backports may carry the fix under a different version number, so check the package changelog rather than relying on uname -r alone.
The fix is a one-line addition to kvm_mmu_get_child_sp(): the reuse condition now checks role.word alongside the gfn, so a shadow page is only reused when both the frame number and the role match.
Information for Users
MiServer machines will be patched as soon as possible. If you are running an x86 KVM environment on your own devices that are not managed by the university, you should follow the remediation steps above.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems (The Hacker News)
- New Januscape Linux flaw allows VM escape on Intel, AMD devices (Bleeping Computer)
- CVE-2026-53359 Detail (NIST)