• Category: Security
  • Status: confirmed
  • Sources: oss-security disclosure, PoC and write-up, fix commit, HN discussion
  • Summary: Hyunwoo Kim disclosed CVE-2026-53359, a use-after-free in KVM/x86 shadow MMU emulation, on oss-security with the embargo ending 2026-07-07. A role mismatch in kvm_mmu_get_child_sp() allows shadow page table reuse that corrupts state through pte_list_remove(), giving a guest a path to escape to the host. The bug affects both Intel and AMD hosts, was present in the code for roughly 16 years, and was fixed in mainline commit 81ccda30b4e8. The reporter states it was exploited as a zero day in Google's kvmCTF competition; the attached proof of concept is a denial-of-service variant.
  • Why it matters: A guest-to-host escape that works on both Intel and AMD reaches multi-tenant cloud and nested-virtualization hosts directly, and on distributions that ship a world-writable /dev/kvm an unprivileged local user can use it for privilege escalation.
  • Follow-up: Watch for the fix landing in stable trees and distribution kernels, a full exploit beyond the DoS proof of concept, and any confirmed use outside the kvmCTF setting.

Send feedback on this story