Breaking
KR광명 호우경보, 성남 호우주의보 발효INTLUS Strikes Iran for Second Day Amid Escalating TensionsKR경기 오산 호우경보 발령…잠수교 등 도로 통제KR이란, 바레인·쿠웨이트 미군 기지 공격…호르무즈 통제권 갈등 고조CN百萬年薪徵才竟是詐騙?除塵蟎公司遭控不實廣告、傳銷手法騙員工與消費者KR한 총리 "AI 민주 정부는 국민이 주인… 연말까지 공공부문 AI 전환 본격화"KR"내란세력 이기는 대표되겠다…3개월 내 지지율 격차 확 벌릴 것"RUБойцы группировки "Центр" двое суток наблюдали за ВСУ из-за забора перед штурмомINTLTrump Comments on Accused Senate Candidate Graham PlatnerARفيفا يعلق عقوبة مهاجم أمريكا بعد تدخل ترامب، والاتحاد الأوروبي يدين القرارKR광명 호우경보, 성남 호우주의보 발효INTLUS Strikes Iran for Second Day Amid Escalating TensionsKR경기 오산 호우경보 발령…잠수교 등 도로 통제KR이란, 바레인·쿠웨이트 미군 기지 공격…호르무즈 통제권 갈등 고조CN百萬年薪徵才竟是詐騙?除塵蟎公司遭控不實廣告、傳銷手法騙員工與消費者KR한 총리 "AI 민주 정부는 국민이 주인… 연말까지 공공부문 AI 전환 본격화"KR"내란세력 이기는 대표되겠다…3개월 내 지지율 격차 확 벌릴 것"RUБойцы группировки "Центр" двое суток наблюдали за ВСУ из-за забора перед штурмомINTLTrump Comments on Accused Senate Candidate Graham PlatnerARفيفا يعلق عقوبة مهاجم أمريكا بعد تدخل ترامب، والاتحاد الأوروبي يدين القرار
Newsgather
BackTwo High-Severity Linux Vulnerabilities Surface, One Exploitable by Untrusted VMs
Two High-Severity Linux Vulnerabilities Surface, One Exploitable by Untrusted VMs
Urgent
Ars Technica8h agoTech3 min readUnited States

Two High-Severity Linux Vulnerabilities Surface, One Exploitable by Untrusted VMs

Quick Look

  • Two critical Linux vulnerabilities, Januscape (CVE-2026-53359) and GhostLock (CVE-2026-43499), have been disclosed.
  • Januscape allows untrusted virtual machines to gain root access to host machines, while GhostLock enables limited users to escalate privileges to root.

AI-generated summary

Why It Matters

Two high-severity vulnerabilities, Januscape and GhostLock, have been discovered in the Linux operating system, impacting its core components and potentially allowing unauthorized root access.

Font size

A Linux vulnerability that allows untrusted virtual machines to gain root access to host machines is one of two high-severity flaws to surface this week in the open source operating system.

The vulnerability resides in KVM, which is, in essence, a virtual machine app included in the kernel of many Linux distributions. The vulnerability, tracked as CVE-2026-53359, allows guest virtual machines—such as those used in cloud platforms to isolate one user’s instance from the host OS and other user instances—to break out of that container.

Januscape: A threat to cloud platforms

The vulnerability affects KVM running on both AMD and Intel processors. It exploits bugs residing in the KVM guest-side, the portion of the VM that consists of only resources like the OS or drivers present in the guest VM, rather than resources present on the host machine. The threat went unnoticed in the Linux kernel for 16 years.

“With guest-side actions alone, an attacker can compromise the host that runs their VM,” Hyunwoo Kim, the researcher who discovered the flaw, wrote. “For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE).”

Kim has named the vulnerability Januscape. The flaw is a use-after-free vulnerability—a form of memory corruption vulnerability that injects malicious code into recently freed regions of memory. The vulnerability resides in the shadow MMU emulation, a process that translates host memory addresses to hypervisor memory addresses and vice versa.

Exploits will trigger guest-side actions alone to corrupt the host kernel’s shadow page, a data structure in the host that assists in the address translation. Kim has released a proof-of-concept exploit that runs in the guest VM to trigger a crash on the host OS. He said an exploit that fully escapes the guest also exists but won’t be released until “the very distant future.”

The vulnerability doesn’t occur in the QEMU, a separate process related to memory translation. That distinction means exploits can work even in cloud environments that implement and use their own virtualization stack. For exploits to work, the guest-VM user must have root privileges.

Google has awarded $250,000 for the reporting of the vulnerability.

Enter GhostLock

A separate vulnerability in Linux allows users with limited rights to escalate to root. Tracked as CVE-2026-43499, it lurked in the OS for 15 years. Researchers from Nebula Security said they discovered it using Vega, Nebula’s AI-assisted vulnerability scanner. Matt Lucas, a researcher and founder of RedEye Security, explained:

The flaw lives in the kernel’s futex priority-inheritance machinery, the system that keeps an urgent task from getting stuck behind a trivial one. Part of that system is a cleanup step that tidies up after a task stops waiting. In one rare path, where a lock operation hits a dead end and has to back out, the cleanup runs at the wrong moment and wipes the wrong task’s record. The kernel is left holding a pointer to memory it has already freed and reused. Trusting that stale pointer is the entire bug: a classic use-after-free.

From there Nebula chained a handful of steps to escalate the dangling pointer into full control, ending by tricking the kernel into executing their code as root. The futex priority-inheritance code they exploited dates to 2011, old, heavily used machinery that few had reread in years.

The vulnerability, which Nebula has named GhostLock, has a severity rating of 7.8 out of 10. Google awarded the researchers $92,337. Like the $250,000 bounty paid for Januscript, it was awarded through Google’s kernelCTF bug-bounty program.

Both flaws have received patches in the Linux kernel. Linux users should check their distribution to make sure the fixes have populated to their particular version.

What to Watch

AI outlook — possibilities, not facts

  • Increased adoption of AI-assisted vulnerability scanners like Vega.

    Likely · Within months

  • Further research into KVM and futex vulnerabilities.

    Likely · Within months

Open Questions

  • How widespread is the exploitation of these vulnerabilities?
  • What is the timeline for full patch adoption across all Linux distributions?

Related Topics

This article was originally published by Ars Technica.

Related Stories

More on this topiclinux