A 16-year-old Linux kernel vulnerability, dubbed Januscape, allows attackers to escape a virtual machine and execute arbitrary code on the host.
According to Hyunwoo Kim, the security researcher who discovered it, this guest-to-host escape flaw (tracked as CVE-2026-53359) stems from a use-after-free weakness in the shadow MMU emulation of KVM/x86, the kernel-based virtual machine built for x86 and x86_64 (AMD64) processor architectures.
Januscape has been present in the Linux kernel for approximately 16 years before being patched in June 2026, and was used as a zero-day exploit in Google's kvmCTF vulnerability reward program (VRP).
Successful exploitation allows attackers with root access inside a guest virtual machine (the default configuration on public cloud instances) to execute code as root on the host and take over all guests running on it or crash the host kernel (knocking every other tenant's virtual machine on the same server offline).
Kim described Januscape as the first guest-to-host exploit that can be triggered on both Intel and AMD processor architectures, rather than being limited to a single platform, and noted that it poses a distinct risk to multi-tenant public cloud environments, such as those offered by Google Cloud and Amazon Web Services.











