seth-arnold
on 11 July 2026
Januscape vulnerability CVE-2026-53359 mitigations available
Introduction
A local privilege escalation (LPE) vulnerability affecting the Linux kernel was publicly disclosed on July 6, 2026. The vulnerability was assigned CVE ID CVE-2026-53359 and is referred to as Januscape. This vulnerability affects all Ubuntu releases.
Neither NVD nor Kernel.org have published their own CVSS scores for this issue; we calculated it as CVSS 4 8.4 and have seen others publish CVSS 3 7.8, 8.8, and CVSS 4 9.3.
The vulnerability affects nested virtualization in the KVM system on Intel and AMD x86_64 systems. Other architectures are not affected. A Proof of Concept exploit was published that demonstrates crashing a hypervisor host from a guest. Some reports claim that a full exploit exists.
The fix must be installed in the hypervisor’s kernel: if you are using a cloud service provider with a hypervisor based on Linux KVM on Intel or AMD hardware and you can use nested virtualization, your VM or host may be compromised by another tenant. If your cloud service provider does not allow nested virtualization, you are not affected by this issue.
If you run hypervisors yourself, your attack surface is from root in your guest virtual machines.
Linux kernel packages which implement the proposed patch will be released. Until security updates are available, you can disable nested virtualization to prevent abuse of this issue. This might disrupt your legitimate work and you should weigh the pros and cons before using this mitigation.
This post describes how to disable nested virtualization.
Which Ubuntu releases are affected by CVE-2026-53359?
| Release | Package Name | Remediation status |
| Trusty (14.04) | linux | Fix pending |
| Xenial (16.04) | linux | Fix pending |
| Bionic (18.04) | linux | Fix pending |
| Focal (20.04) | linux | Fix pending |
| Jammy (22.04) | linux | Fix pending |
| Noble (24.04) | linux | Fix pending |
| Resolute (26.04) | linux | Fix pending |
How to check if you are impacted by CVE-2026-53359
grep . /sys/module/kvm_{amd,intel}/parameters/nested
# 1 or Y means you are impacted. 0 or N means mitigated.
# One or two "No such file or directory" is expected.
# Two "No such file or directory" does not itself mean
# you are safe -- the module may still be loaded later.
Impact of CVE-2026-53359
Deployments without virtualization workloads
Even if you do not have virtual machines running now, system services such as libvirt, lxd, multipass, incus, etc may allow users to create virtual machines in future. An attacker could use the ability provided by these services to create virtual machines and perform local privilege escalation (LPE) by exploiting this vulnerability. Device node permissions may also allow users the necessary permissions to exploit the vulnerability. Inspect the output of namei -l /dev/kvm and getfacl /dev/kvm to see the permissions on the usual device node. You should ensure that only privileged users can write to the /dev/kvm device. The default on Ubuntu is that /dev/kvm is only writable by the superuser (root) and the kvm group. Only privileged users are added to the kvm group.
Deployments with container workloads
Unprivileged containers do not have sufficient permissions to start KVM-accelerated virtual machines and are thus not a vector for concern. Privileged containers may have sufficient permissions to start KVM-accelerated virtual machines and should not be considered safe. These should be treated as per the ‘Deployments without virtualization workloads’ section, above.
Deployments with virtualization workloads
Any process or user inside a virtual machine that can cause kernel module loading – or supply a new kernel – can manipulate page tables sufficiently to crash or potentially exploit the host or exploit other guest virtual machines on the host.
How to apply mitigations for CVE-2026-53359
You can disable virtualization nesting on your hosts:
# unload modules, both are harmless
sudo rmmod kvm_amd ; sudo rmmod kvm_intel
# look to see if any configuration file forces nesting on
grep nested /etc/modprobe.d/*
# disable nesting for the implementations of KVM in both AMD and Intel processors
echo 'options kvm_amd nested=0' | sudo tee /etc/modprobe.d/nested.conf
echo 'options kvm_intel nested=0' | sudo tee -a /etc/modprobe.d/nested.conf
# reload modules if necessary, both are harmless
sudo modprobe kvm_amd ; sudo modprobe kvm_intel


