kernels since 2010
Stable: 6.1.177+
Hyunwoo Kim disclosed CVE-2026-53359 on July 6 after using it as a zero-day in Google's kvmCTF program, which offers up to $250,000 for full KVM guest-to-host escapes. The bug is a use-after-free in the KVM x86 shadow MMU, introduced by a commit in August 2010 and present in every affected kernel shipped in the 16 years since. Shadow paging is KVM's fallback memory translation path for guests that cannot use hardware-assisted page tables. When KVM reuses a shadow page whose role does not match the current translation context, it can free a kvm_mmu_page structure that is still referenced elsewhere. Anything that later touches that dangling pointer is operating on freed memory.
The public proof of concept demonstrates a reliable host kernel panic from inside a guest with a loadable kernel module and a few seconds of racing. Kim states that a separate, unreleased exploit turns the same corruption into full code execution with root on the host, which would put every other tenant VM on the same physical machine inside the blast radius. The exploit works on both Intel (VMX) and AMD (SVM) with separate code paths in the same trigger. Kim notes a secondary attack path: on distributions such as RHEL where /dev/kvm is world-accessible by default, an unprivileged local user can open the device, create a throwaway VM, and trigger the bug to crash the host without the server ever acting as a multi-tenant hypervisor. Fixes reached stable kernels on July 4 in versions 6.1.177, 6.6.144, 6.12.95, 6.18.38, and 7.1.3. Distribution backports are on their own schedules.
- Apply kernel updates containing commit 81ccda30b4e8 as soon as your distribution ships them. Check the package changelog rather than relying on uname -r alone, as backport version numbers vary. Reboot or use live patching.
- If patching cannot happen immediately, disable nested virtualization on hosts that accept untrusted guests: set kvm_intel.nested=0 on Intel or kvm_amd.nested=0 on AMD. This removes the primary guest-to-host escape path.
- On distributions where /dev/kvm is world-accessible (RHEL and derivatives by default), restrict permissions to prevent unprivileged local users from opening the device and triggering the denial-of-service path before the patch ships.