
16-year-old KVM flaw allows attackers to escape VMs and take over Linux servers
A critical vulnerability in the Kernel-based Virtual Machine (KVM) module of the Linux kernel allows attackers with root access in a guest VM to execute arbitrary code on the host system. This violates the most important security boundary that cloud providers and enterprises rely on to isolate sensitive processes on servers.
The vulnerability, tracked as CVE-2026-53359, stems from a use-after-free memory bug in the shadow MMU emulation of KVM on x86 CPU architecture. According to Hyunwoo Kim, the researcher who discovered it, the flaw has been present in the Linux kernel code for the past 16 years and is the first KVM guest-to-host escape vulnerability that works on both Intel and AMD CPUs.
...