A Linux vulnerability discovered in the KVM (Kernel-based Virtual Machine) module allows untrusted virtual machines to gain root access to the host machine. Google awarded a $250,000 bounty to the researcher who reported the bug, one of two high-severity flaws found this week in the open-source operating system.
Flaw CVE-2026-53359 affects KVM on AMD and Intel processors
The vulnerability, tracked as CVE-2026-53359, resides in KVM, a component integrated into the kernel of many Linux distributions. KVM is a hypervisor that enables running virtual machines, widely used in cloud platforms like Google Cloud, AWS, and Azure to isolate user instances from the host OS. The bug exploits an error in the guest side of KVM, meaning the resources (such as drivers and OS) inside the guest VM, not the host. This error went undetected in the Linux kernel for 16 years.
Sponsored Protocol
Januscape: a threat to cloud platforms
Dubbed Januscape, the vulnerability allows an attacker to gain root privileges on the host from a guest virtual machine, completely breaking isolation. Google, known for recent AI innovations like Video Remix in Google Photos, has a strong bug bounty program and paid $250,000 for this discovery, highlighting the critical nature of such flaws.
Impact on cloud providers and Linux users
Januscape poses a serious threat to all cloud providers using KVM, including those based on AMD and Intel processors. An attacker could potentially access other customers' data, launch lateral attacks, or compromise the entire infrastructure. While no exploits have been reported in the wild, security experts urge prompt patching of Linux kernels and vendor updates. This finding underscores the importance of bug bounty programs like Google's, which incentivize discovery of critical vulnerabilities.
Sponsored Protocol
For technical details, see the Wikipedia page on KVM. Additionally, frameworks like the AI Act for SMEs show how software vulnerabilities can have legal implications for businesses.