Hi,
On July 6, 2026, researcher Hyunwoo Kim (@v4bel) publicly disclosed
Januscape, a vulnerability in the Linux kernel’s KVM/x86
memory-management code. It has two attack paths. A malicious virtual
machine can break out of the guest and run code as root on the host it
runs on. And on any host where the KVM device node /dev/kvm is
world-accessible, which is the default on EL8 and later, an unprivileged
local user can trigger the same bug directly to crash the host, with a
working root-level exploit reported but not yet public. Kim is the
researcher behind the earlier KVM/arm64 escape “ITScape”
(CVE-2026-46316); Januscape is its x86 sibling. [0]
This vulnerability directly affects all CloudStack users running with
the KVM hypervisor and it's therefor advised to patch/mitigate your
hypervisors.
On Github [1] Kim published a PoC, but the Guest-to-Host exploit has not
been released yet: "Running the PoC inside a guest VM can trigger a host
kernel panic. A full escape exploit that works in a controlled
environment also exists, but it is not released at this time and is
planned to be released in the very distant future."
I highly recommend you look into this if you are using KVM (with
CloudStack)!
Wido
[0]:
https://blog.cloudlinux.com/januscape-cve-2026-53359-mitigation-and-kernel-update-on-cloudlinux/
[1]: https://github.com/V4bel/Januscape