ArticlesRocky Linux

Mitigating Januscape (CVE-2026-53359) on Rocky Linux 8, 9, 10, and LTS Variants

cvecve-2026-53359securitykernelrocky linuxltskvmvirtualizationmitigationtroubleshooting

Arsalan Zaidi
Customer Support Engineering Lead

Jul 06, 2026

Introduction

Januscape, tracked as CVE-2026-53359, is a use-after-free vulnerability in the Linux kernel's KVM/x86 shadow MMU emulation. A guest virtual machine can exploit the flaw to corrupt host kernel shadow pages and break guest-host isolation, enabling a full guest-to-host escape on both Intel (VMX/EPT) and AMD (SVM/NPT) platforms. On systems where /dev/kvm is world-writable (permissions 0666), a local unprivileged user can also exploit the vulnerability for privilege escalation without needing an existing guest VM.

The vulnerability was latent in the KVM codebase for approximately 16 years before being discovered. It was successfully exploited as a zero-day in Google's kvmCTF program. A proof-of-concept kernel module that demonstrates a host kernel crash (DoS) is publicly available as of the disclosure date.

This article covers Rocky Linux 8, 9, and 10 systems, including CIQ LTS, FIPS, and RLC Pro variants. It describes what the vulnerability affects, how to confirm patch status, and recommended actions.

Problem

Januscape exploits a role-mismatch shadow-page reuse condition in the KVM function kvm_mmu_get_child_sp(). When a guest VM performs specific memory management operations, the shadow MMU can reuse a shadow page whose role metadata does not match the current context. This creates a use-after-free condition where the guest can read and write host kernel memory through the corrupted shadow page mapping.

The public proof-of-concept is a kernel module loaded inside the guest VM. It spawns multiple virtual CPUs and manipulates nested page table entries to trigger the role mismatch. The resulting corruption causes a host kernel crash (denial of service). While the underlying use-after-free could theoretically enable arbitrary code execution on the host, the published PoC demonstrates a DoS condition only.

Treat the following systems as affected if they run KVM workloads or have the KVM kernel modules loaded:

  • Rocky Linux 8, 9, and 10 community releases (x86_64)
  • Rocky Linux 8 and 9 LTS variants
  • RLC Pro FIPS variants
  • RLC Pro variants based on Rocky Linux 8, 9, or 10, including RLC Pro Hardened

The primary attack surface is any multi-tenant or shared KVM host where guests are not fully trusted. The secondary attack surface is any system where /dev/kvm is world-writable, which allows local unprivileged users to create and control KVM guests without root access.

Systems that do not use KVM (no kvm, kvm_intel, or kvm_amd modules loaded) are not exploitable through this vulnerability.

Status

  • Patched kernels are in development. CIQ engineering is actively building patched kernels for all supported variants. The Patched Kernels table below will be updated as builds become available and pass validation.
  • The mainline kernel fix is available. The upstream fix (commit 81ccda30b4e8) implements a role.word reuse check in kvm_mmu_get_child_sp() to prevent shadow-page reuse with mismatched roles.
  • Recommended action for KVM hosts: audit /dev/kvm permissions and restrict to group-only access (0660) if currently world-writable. Avoid running untrusted guest workloads on unpatched hosts. See the Notes section for details.
  • CIQ Bridge (CentOS 7): CentOS 7's KVM does not contain the affected code path. CIQ Bridge customers are not affected.
  • Open a support case if you need help assessing exposure across your KVM infrastructure or tracking patched kernel availability for your specific CIQ variant.

Patched kernels

No patched kernels are available as of 2026-07-06. CIQ updates this table as tested kernels become available for each variant.

The Repo links will require your CIQ depot credentials. If you need to retrieve them, log in to the CIQ Portal.

Variant Patched Kernel Version Repo Released

Confirm what kernel is running on a given system with:

uname -r

Installing the update

Once patched kernels are available, install them using the standard update process for your variant.

RLC Pro LTS and FIPS variants:

sudo dnf update kernel*
sudo reboot

No additional repository configuration is needed. The patched kernel will be available from your configured LTS or FIPS repository.

RLC Pro, CIQ SIG/Cloud Next, and specific LTS versions:

sudo dnf refresh
sudo dnf update kernel*
sudo reboot

If your system uses Depot channels, verify that the correct channel is enabled before updating. Retrieve your depot credentials from the CIQ Portal if needed.

Community Edition (RESF):

sudo dnf update kernel*
sudo reboot

The patched kernel will be available from the standard BaseOS repository once the upstream fix reaches the Rocky Linux kernel builds.

Verification

After installing a patched kernel and rebooting, confirm the fix is in place:

uname -r

Compare the output against the Patched Kernel Version column in the table above. If your system reports one of the patched versions (or newer), the fix is active.

To confirm whether KVM modules are loaded on a system:

lsmod | grep -E '^kvm'

Systems that do not load kvm, kvm_intel, or kvm_amd modules are not exposed to this vulnerability regardless of kernel version.

Resolution

  1. Install the patched kernel for your variant using the instructions in the Installing the Update section.
  2. Reboot the system.
  3. Verify the running kernel matches a patched version from the Patched Kernels table.
  4. If you restricted /dev/kvm permissions as an interim measure, you may restore the original permissions after confirming the patched kernel is running.

Notes

  • Guest-to-host escape. This vulnerability breaks KVM guest-host isolation. Any guest VM on an unpatched host can potentially compromise the host kernel. Multi-tenant environments, shared hosting platforms, and cloud infrastructure running KVM should prioritize patching.
  • Local privilege escalation via /dev/kvm. On systems where /dev/kvm has world-writable permissions (0666), a local unprivileged user can exploit the vulnerability without needing an existing guest VM. Check permissions with stat -c '%a' /dev/kvm. If the output shows 666, restrict access to 660 or 600 until the patched kernel is installed. Most enterprise distributions configure /dev/kvm as group-accessible (0660, group kvm) by default, which limits exposure to users in the kvm group.
  • Dual-architecture PoC. The public proof-of-concept supports both Intel (VMX/EPT) and AMD (SVM/NPT) platforms. Both processor families are affected when running KVM with shadow MMU emulation.
  • kvmCTF exploitation. The vulnerability was exploited as a zero-day in Google's kvmCTF program prior to disclosure, confirming real-world impact against production KVM configurations.
  • 16-year latent bug. The vulnerable code path has existed in the KVM subsystem for approximately 16 years. Systems running any kernel version with KVM/x86 shadow MMU support should be treated as affected until patched.
  • Public DoS proof-of-concept. A proof-of-concept kernel module that crashes the host kernel is publicly available as of the July 6, 2026 disclosure. The PoC demonstrates denial of service; no public exploit achieving code execution has been released. Treat affected KVM hosts running untrusted guests as at risk of guest-triggered host crashes until patched.

Related articles