Google pays $250,000 bounty for Linux VM escape flaw
Two long-lived Linux kernel bugs, including a KVM guest escape risk for cloud hosts, have been patched after researcher reports.
By Hana Yoshida · Markets Reporter
3 min read
Google paid a $250,000 bug bounty for a Linux kernel vulnerability that can let an untrusted virtual machine break out and gain root control of its host, Ars Technica reported. The flaw is significant for cloud platforms because guest VMs are commonly used to separate one customer’s instance from the host operating system and from other tenants.
The vulnerability is tracked as CVE-2026-53359 and affects KVM, the kernel-based virtualization technology included with many Linux distributions, according to the report. Researcher Hyunwoo Kim, who found the bug, named it Januscape and said it had been present in the Linux kernel for 16 years.
Kim said the issue can be triggered entirely from the guest side of a virtual machine. In one scenario he described, an attacker renting a single public-cloud instance could crash the host kernel and disrupt other VMs on the same physical machine; in a more severe case, the attacker could execute code as root on the host and take over the host and its guests.
Ars Technica reported that Januscape affects KVM on both AMD and Intel processors. The bug is a use-after-free flaw, a memory-corruption class in which software continues to rely on memory after it has been released and may have been repurposed.
Kim said the vulnerable code sits in KVM’s shadow MMU emulation, which helps translate memory addresses between a guest, the host and the hypervisor. According to his write-up, an exploit can corrupt a host kernel shadow page, a data structure used in that translation process.
Kim released a proof-of-concept that runs inside a guest VM and crashes the host operating system, Ars Technica reported. He said he also has a working guest-escape exploit, but does not plan to release it until far in the future.
The flaw is separate from QEMU, a related process often used with virtualization stacks, according to the report. That means attacks may still work in cloud environments that use their own virtualization components, though Ars Technica said an attacker would need root privileges inside the guest VM.
A second Linux kernel flaw disclosed this week, CVE-2026-43499, can let a lower-privileged user gain root access, according to researchers at Nebula Security. Nebula named the vulnerability GhostLock and said it found the bug using Vega, its AI-assisted vulnerability scanner.
Matt Lucas, a researcher and founder of RedEye Security, said GhostLock is another use-after-free flaw, this time in the kernel’s futex priority-inheritance code. He said the affected code dates to 2011 and that Nebula chained several steps to turn the stale pointer issue into root-level code execution.
GhostLock has a severity score of 7.8 out of 10, Ars Technica reported. Google paid Nebula’s researchers $92,337 through its kernelCTF bug-bounty program, the same program that paid the Januscape award.
Both vulnerabilities have been patched in the Linux kernel, according to the report. Linux users and administrators should check their distribution’s security updates to confirm the fixes have reached the versions they run.
This story draws on original reporting from Ars Technica.