Issue
Is there a patch developed for Januscape (CVE-2026-53359 / CVE-2026-46113), a nested KVM guest-to-host escape vulnerability, that can be applied on the host?
Environment
- KernelCare
- Affected: any KVM hypervisor host with the
kvm_intelorkvm_amdmodule loaded and/dev/kvmpresent- This is the default posture on most KVM/enterprise hosts, whether or not VMs are currently running
- Reported on:
- CloudLinux OS 7, 8, 9, 10
- Other distributions covered by KernelCare (e.g., Ubuntu, Debian, RHEL-family, Proxmox VE))
Solution
KernelCare's rollout for Januscape (CVE-2026-53359) is in progress and varies by distribution and kernel version. For the current per-distribution release status, see the official Status Page incident report at:
CloudLinux Status Page incident: KernelCare Patch For Januscape (CVE-2026-53359)
Once a fix is available for the customer's platform:
- Update KernelCare, from the test feed first if the patch is still in test:
kcarectl --update --prefix test, orkcarectl --updateonce it's promoted to main. - Verify the patch applied — both CVEs must show up, since they ship together:
kcarectl --info | grep kpatch-build-time # build dated 2026-07 or later kcarectl --patch-info | grep -E 'CVE-2026-53359|CVE-2026-46113' # both fixes needed for Januscape
Temporary mitigation until the patch lands (optional, for concerned customers):
- Hosts that do not run any VMs can remove the attack surface entirely by unloading and blacklisting the KVM module:
sudo modprobe -r kvm_intel kvm # use kvm_amd on AMD hosts printf 'install kvm_intel /bin/false\ninstall kvm_amd /bin/false\n' | sudo tee /etc/modprobe.d/disable-kvm.conf
- Hosts that do run VMs can't do this. On RHEL-family systems (where
/dev/kvmis world-accessible by default), tightening its permissions blocks the unprivileged-local-user variant, but does not stop a malicious VM guest from escaping — full protection still requires the patch:
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0660"' | sudo tee /etc/udev/rules.d/65-kvm.rules sudo udevadm control --reload && sudo udevadm trigger
Check the status page linked above for the latest per-distribution release state before responding to a customer with a specific ETA.
Cause
Januscape (CVE-2026-53359) is a nested KVM guest-to-host escape (and local denial-of-service / privilege-escalation) vulnerability in the Linux kernel's KVM/x86 memory management unit (MMU) handling. A complete fix also requires a companion patch for CVE-2026-46113 (a related frame-number handling issue) — both CVEs must be patched together for full protection; patching only one leaves the host vulnerable.
Useful links
-
Live rollout status:
CloudLinux Status Page: KernelCare Patch For Januscape (CVE-2026-53359)
- NVD: CVE-2026-53359
- The Hacker News: 16-year-old Linux KVM flaw lets guest escape
- AlmaLinux Blog: Januscape / bad-epoll
- TuxCare CVE Tracker: CVE-2026-53359
- Upstream fix commit (CVE-2026-53359)
- Upstream fix commit (companion CVE-2026-46113)
Comments
0 comments
Please sign in to leave a comment.