KVM exploit CVE-2026-53359 Januscape, hypervisor crash with guest root potential

AnthonySmithAnthonySmith AdministratorHosting ProviderOGSenpai

Happy patching day everyone.

https://nvd.nist.gov/vuln/detail/CVE-2026-53359

Bit of a scary sounding one, my impression is that this is probably (for now) one of those ones where the effort is massive to exploit and to actually get root from a guest you have to calculate the displaced atoms from a gravitational wave while standing on 1 leg eating lemons.... But as with the batch of local privilege escalation exploits, it has existed for 10 years undetected.

So let's hope this does not bring a wave of similar findings and daily patching.

Basically if you have nested KVM enabled for guests, your hypervisors are vulnerable.

No exploit in the wild yet I think, but I am sure that will change.

I am exploring live patching for TierHive because frankly I don't want to reboot everything, but if I must, I will.

Please... Don't become a trend.

Thanked by (2)Not_Oles jureve

TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/

Comments

  • AnthonySmithAnthonySmith AdministratorHosting ProviderOGSenpai

    I was wrong there is a POC out there, so... Bad

    TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
    FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/

  • tentortentor Hosting Provider

    Works only if nested virtualization is enabled

    Thanked by (1)willie

    Check our KVM VPS plans in πŸ‡΅πŸ‡± Warsaw, Poland and πŸ‡ΈπŸ‡ͺ Stockholm, Sweden

  • AnthonySmithAnthonySmith AdministratorHosting ProviderOGSenpai

    @tentor said:
    Works only if nested virtualization is enabled

    Yep, I think that's pretty standard now.

    TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
    FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/

  • Qemu CPU Uber Allies

    Thanked by (1)rpqu

    "It's a hard life- to be a stick insect." - Karl Pilkington

  • Why not just delete this post and pretend nothing ever happened?

    Thanked by (1)yoursunny
  • SpeedBusSpeedBus Hosting ProviderOG

    @AnthonySmith said: I am exploring live patching for TierHive because frankly I don't want to reboot everything, but if I must, I will.

    KernelCare has patches out for it already, https://blog.cloudlinux.com/januscape-cve-2026-53359-mitigation-and-kernel-update-on-cloudlinux/

    Thanked by (1)Khalequzzaman

    CrownCloud - Internet Services | Los Angeles, California | Frankfurt, Germany | Amsterdam, The Netherlands | Atlanta, Georgia | Miami, Florida

  • tentortentor Hosting Provider

    @SpeedBus said:

    @AnthonySmith said: I am exploring live patching for TierHive because frankly I don't want to reboot everything, but if I must, I will.

    KernelCare has patches out for it already, https://blog.cloudlinux.com/januscape-cve-2026-53359-mitigation-and-kernel-update-on-cloudlinux/

    No patches for AlmaLinux 9 yet :(

    Check our KVM VPS plans in πŸ‡΅πŸ‡± Warsaw, Poland and πŸ‡ΈπŸ‡ͺ Stockholm, Sweden

  • AnthonySmithAnthonySmith AdministratorHosting ProviderOGSenpai
    edited 12:24PM

    @SpeedBus said:

    @AnthonySmith said: I am exploring live patching for TierHive because frankly I don't want to reboot everything, but if I must, I will.

    KernelCare has patches out for it already, https://blog.cloudlinux.com/januscape-cve-2026-53359-mitigation-and-kernel-update-on-cloudlinux/

    oh god:

    Januscape is a KVM vulnerability, so the obvious question is β€œwe don’t run guests, are we exposed?” On CloudLinux 8, 9, and 10 the answer is usually yes. Those platforms ship /dev/kvm world-accessible by default, so any unprivileged local user (a shell account, a compromised site, a rogue process) can open the device, create a throwaway VM, and trigger the bug to crash the host, without your server ever being a hypervisor. The guest-to-host escape is the more severe path. The local-user path is the more common one on shared hosting.

    The next few months/years are going to be fun.

    Edit: /dev/kvm should not be world accessible anyway as standard (on debian at least) so I guess this is not so much of an issue, I also checked ubuntu 24 LTS, also not world accessible so as no root escalation POC has been posted and again, it sounds like you have to do a special incantation to get it, this might be a lot of noise about nothing.

    Maybe someone who uses an rhel base can confirm /dev/kvm status.

    Edit again: Yeah it is an issue in rhel base only, probably worth panel distributors to enforce this as standard as part of the deployment or at least flag it to the installer, tagging @VirtFusion, just a suggestion.

    Thanked by (2)Not_Oles jureve

    TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
    FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/

  • AnthonySmithAnthonySmith AdministratorHosting ProviderOGSenpai

    No I am wrong, ignore most of the above haha, that only applies to local access. I misunderstood the access method.

    Thanked by (2)Not_Oles jureve

    TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
    FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/

Sign In or Register to comment.