Januscape vulnerability CVE-2026-53359 mitigations available

Wait 5 sec.

IntroductionA local privilege escalation (LPE) vulnerability affecting the Linux kernel was publicly disclosed on July 6, 2026. The vulnerability was assigned CVE ID CVE-2026-53359 and is referred to as Januscape. This vulnerability affects all Ubuntu releases.Neither NVD nor Kernel.org have published their own CVSS scores for this issue; we calculated it as CVSS 4 8.4 and have seen others publish CVSS 3 7.8, 8.8, and CVSS 4 9.3.The vulnerability affects nested virtualization in the KVM system on Intel and AMD x86_64 systems. Other architectures are not affected. A Proof of Concept exploit was published that demonstrates crashing a hypervisor host from a guest. Some reports claim that a full exploit exists.The fix must be installed in the hypervisor’s kernel: if you are using a cloud service provider with a hypervisor based on Linux KVM on Intel or AMD hardware and you can use nested virtualization, your VM or host may be compromised by another tenant. If your cloud service provider does not allow nested virtualization, you are not affected by this issue.If you run hypervisors yourself, your attack surface is from root in your guest virtual machines.Linux kernel packages which implement the proposed patch will be released. Until security updates are available, you can disable nested virtualization to prevent abuse of this issue. This might disrupt your legitimate work and you should weigh the pros and cons before using this mitigation.This post describes how to disable nested virtualization.Which Ubuntu releases are affected by CVE-2026-53359?ReleasePackage NameRemediation statusTrusty (14.04)linuxFix pendingXenial (16.04)linuxFix pendingBionic (18.04)linuxFix pendingFocal (20.04)linuxFix pendingJammy (22.04)linuxFix pendingNoble (24.04)linuxFix pendingResolute (26.04)linuxFix pendingHow to check if you are impacted by CVE-2026-53359grep . /sys/module/kvm_{amd,intel}/parameters/nested# 1 or Y means you are impacted. 0 or N means mitigated.# One or two "No such file or directory" is expected.# Two "No such file or directory" does not itself mean# you are safe -- the module may still be loaded later.Impact of CVE-2026-53359Deployments without virtualization workloadsEven if you do not have virtual machines running now, system services such as libvirt, lxd, multipass, incus, etc may allow users to create virtual machines in future. An attacker could use the ability provided by these services to create virtual machines and perform local privilege escalation (LPE) by exploiting this vulnerability. Device node permissions may also allow users the necessary permissions to exploit the vulnerability. Inspect the output of namei -l /dev/kvm and getfacl /dev/kvm to see the permissions on the usual device node. You should ensure that only privileged users can write to the /dev/kvm device. The default on Ubuntu is that /dev/kvm is only writable by the superuser (root) and the kvm group. Only privileged users are added to the kvm group.Deployments with container workloadsUnprivileged containers do not have sufficient permissions to start KVM-accelerated virtual machines and are thus not a vector for concern. Privileged containers may have sufficient permissions to start KVM-accelerated virtual machines and should not be considered safe. These should be treated as per the ‘Deployments without virtualization workloads’ section, above.Deployments with virtualization workloadsAny process or user inside a virtual machine that can cause kernel module loading – or supply a new kernel – can manipulate page tables sufficiently to crash or potentially exploit the host or exploit other guest virtual machines on the host.How to apply mitigations for CVE-2026-53359You can disable virtualization nesting on your hosts:# unload modules, both are harmlesssudo rmmod kvm_amd ; sudo rmmod kvm_intel# look to see if any configuration file forces nesting ongrep nested /etc/modprobe.d/*# disable nesting for the implementations of KVM in both AMD and Intel processorsecho 'options kvm_amd nested=0' | sudo tee /etc/modprobe.d/nested.confecho 'options kvm_intel nested=0' | sudo tee -a /etc/modprobe.d/nested.conf# reload modules if necessary, both are harmlesssudo modprobe kvm_amd ; sudo modprobe kvm_intelFurther readingTechnical writeup by exploit author Hyunwoo KimRead Ubuntu’s disclosure policy