Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    US seeks cheaper hunter-killer drones after Iran destroys $1B worth of Reapers

    July 9, 2026

    Sir Keir Starmer gifted gun and ammunition by Turkish president

    July 9, 2026

    Temasek takeaways: crypto, defense, AI, European luxury names

    July 9, 2026
    Facebook X (Twitter) Instagram
    Addison Markets
    • Home
    • USA
    • Europe
    • Business
    • Investing
    • Tech
    • Politics
    • Contact Us
    Addison Markets
    Home»Tech»Google pays $250K for Linux vulnerability allowing guest VM escapes
    Tech

    Google pays $250K for Linux vulnerability allowing guest VM escapes

    franperez66q@protonmail.comBy franperez66q@protonmail.comJuly 9, 2026No Comments2 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email



    A Linux vulnerability that allows untrusted virtual machines to gain root access to host machines is one of two high-severity flaws to surface this week in the open source operating system.

    The vulnerability resides in KVM, which is, in essence, a virtual machine app included in the kernel of many Linux distributions. The vulnerability, tracked as CVE-2026-53359, allows guest virtual machines—such as those used in cloud platforms to isolate one user’s instance from the host OS and other user instances—to break out of that container.

    Januscape: A threat to cloud platforms

    The vulnerability affects KVM running on both AMD and Intel processors. It exploits bugs residing in the KVM guest-side, the portion of the VM that consists of only resources like the OS or drivers present in the guest VM, rather than resources present on the host machine. The threat went unnoticed in the Linux kernel for 16 years.

    “With guest-side actions alone, an attacker can compromise the host that runs their VM,” Hyunwoo Kim, the researcher who discovered the flaw, wrote. “For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE).”

    Kim has named the vulnerability Januscape. The flaw is a use-after-free vulnerability—a form of memory corruption vulnerability that injects malicious code into recently freed regions of memory. The vulnerability resides in the shadow MMU emulation, a process that translates host memory addresses to hypervisor memory addresses and vice versa.

    Exploits will trigger guest-side actions alone to corrupt the host kernel’s shadow page, a data structure in the host that assists in the address translation. Kim has released a proof-of-concept exploit that runs in the guest VM to trigger a crash on the host OS. He said an exploit that fully escapes the guest also exists but won’t be released until “the very distant future.”



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    franperez66q@protonmail.com
    • Website

    Related Posts

    US seeks cheaper hunter-killer drones after Iran destroys $1B worth of Reapers

    July 9, 2026

    Samsung-backed Rebellions targets IPO in South Korea next year, CEO tells CNBC

    July 9, 2026

    The U.S. strikes Iran, Samsung’s Wall Street letdown, using AI for financial planning and more in Morning Squawk

    July 9, 2026

    Judge rejects Kalshi attempt to override New York state gambling laws

    July 9, 2026

    AirPods maker Luxshare slides over 5% in Hong Kong debut

    July 9, 2026

    Lawsuit: Man used Grok to make 7K sex images of stepdaughter, then shot himself

    July 9, 2026
    Leave A Reply Cancel Reply

    Top Reviews
    Editors Picks

    US seeks cheaper hunter-killer drones after Iran destroys $1B worth of Reapers

    July 9, 2026

    Sir Keir Starmer gifted gun and ammunition by Turkish president

    July 9, 2026

    Temasek takeaways: crypto, defense, AI, European luxury names

    July 9, 2026

    Indonesia’s Pertamina, Boeing sign MoU on sustainable aviation fuel development

    July 9, 2026
    © 2026 All right reserved
    • Privacy Policy
    • Terms & Conditions

    Type above and press Enter to search. Press Esc to cancel.