KVM exploit CVE-2026-53359 Januscape, hypervisor crash with guest root potential
AnthonySmith
AdministratorHosting ProviderOGSenpai
Happy patching day everyone.
https://nvd.nist.gov/vuln/detail/CVE-2026-53359
Bit of a scary sounding one, my impression is that this is probably (for now) one of those ones where the effort is massive to exploit and to actually get root from a guest you have to calculate the displaced atoms from a gravitational wave while standing on 1 leg eating lemons.... But as with the batch of local privilege escalation exploits, it has existed for 10 years undetected.
So let's hope this does not bring a wave of similar findings and daily patching.
Basically if you have nested KVM enabled for guests, your hypervisors are vulnerable.
No exploit in the wild yet I think, but I am sure that will change.
I am exploring live patching for TierHive because frankly I don't want to reboot everything, but if I must, I will.
Please... Don't become a trend.
TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/
Comments
Fixed in Debian
https://security-tracker.debian.org/tracker/CVE-2026-53359
apt mooI was wrong there is a POC out there, so... Bad
TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/
Works only if nested virtualization is enabled
Check our KVM VPS plans in π΅π± Warsaw, Poland and πΈπͺ Stockholm, Sweden
Yep, I think that's pretty standard now.
TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/
Qemu CPU Uber Allies
"It's a hard life- to be a stick insect." - Karl Pilkington
Why not just delete this post and pretend nothing ever happened?
KernelCare has patches out for it already, https://blog.cloudlinux.com/januscape-cve-2026-53359-mitigation-and-kernel-update-on-cloudlinux/
CrownCloud - Internet Services | Los Angeles, California | Frankfurt, Germany | Amsterdam, The Netherlands | Atlanta, Georgia | Miami, Florida
No patches for AlmaLinux 9 yet :(
Check our KVM VPS plans in π΅π± Warsaw, Poland and πΈπͺ Stockholm, Sweden
oh god:
The next few months/years are going to be fun.
Edit: /dev/kvm should not be world accessible anyway as standard (on debian at least) so I guess this is not so much of an issue, I also checked ubuntu 24 LTS, also not world accessible so as no root escalation POC has been posted and again, it sounds like you have to do a special incantation to get it, this might be a lot of noise about nothing.
Maybe someone who uses an rhel base can confirm /dev/kvm status.
Edit again: Yeah it is an issue in rhel base only, probably worth panel distributors to enforce this as standard as part of the deployment or at least flag it to the installer, tagging @VirtFusion, just a suggestion.
TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/
No I am wrong, ignore most of the above haha, that only applies to local access. I misunderstood the access method.
TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/