Home Technology Google pays $250K for Linux vulnerability allowing guest VM escapes

Google pays $250K for Linux vulnerability allowing guest VM escapes

5
0

A Linux vulnerability that allows untrusted virtual machines to gain root access to host machines is one of two high-severity flaws to surface this week in the open source operating system.

The vulnerability resides in KVM, which is, in essence, a virtual machine app included in the kernel of many Linux distributions. The vulnerability, tracked as CVE-2026-53359, allows guest virtual machines—such as those used in cloud platforms to isolate one user’s instance from the host OS and other user instances—to break out of that container.

Januscape: A threat to cloud platforms

The vulnerability affects KVM running on both AMD and Intel processors. It exploits bugs residing in the KVM guest-side, the portion of the VM that consists of only resources like the OS or drivers present in the guest VM, rather than resources present on the host machine. The threat went unnoticed in the Linux kernel for 16 years.

“With guest-side actions alone, an attacker can compromise the host that runs their VM,” Hyunwoo Kim, the researcher who discovered the flaw, wrote. “For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE).”

Kim has named the vulnerability Januscape. The flaw is a use-after-free vulnerability—a form of memory corruption vulnerability that injects malicious code into recently freed regions of memory. The vulnerability resides in the shadow MMU emulation, a process that translates host memory addresses to hypervisor memory addresses and vice versa.

Exploits will trigger guest-side actions alone to corrupt the host kernel’s shadow page, a data structure in the host that assists in the address translation. Kim has released a proof-of-concept exploit that runs in the guest VM to trigger a crash on the host OS. He said an exploit that fully escapes the guest also exists but won’t be released until “the very distant future.”



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here