CVE-2026-53359
ANALYSIS PENDINGKVM: x86: Fix shadow paging use-after-free due to unexpected role
Title source: cnaExploitation Summary
EIP tracks 8 public exploits for CVE-2026-53359. PoCs published by Unclecheng-li, chuzhongyun, xj2268-TA.
AI-analyzed exploit summary This repository contains a functional proof-of-concept (PoC) kernel module for CVE-2026-53359, a KVM/x86 shadow MMU use-after-free vulnerability. The exploit triggers a race condition in kvm_mmu_get_child_sp() by mapping the same physical page as both a 2MB huge PDE and a 4KB page table, leading to host DoS or potential RCE.
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free.
Exploits (8)
This repository contains a functional proof-of-concept (PoC) kernel module for CVE-2026-53359, a KVM/x86 shadow MMU use-after-free vulnerability. The exploit triggers a race condition in kvm_mmu_get_child_sp() by mapping the same physical page as both a 2MB huge PDE and a 4KB page table, leading to host DoS or potential RCE.
This repository provides a detailed technical walkthrough for upgrading the Linux Kernel to version 7.1.3 to remediate CVE-2026-53359, a use-after-free (UAF) vulnerability in KVM x86 Shadow MMU. The writeup includes root cause analysis, patch verification (commit 81ccda30b4e8), and step-by-step compilation/installation instructions for CentOS Stream 8.
This repository provides a Linux kernel module (LKM) that patches the CVE-2026-53359 (Januscape) vulnerability in KVM's shadow MMU via a text_poke hotfix. The exploit targets a use-after-free (UAF) in kvm_mmu_get_page() by NOP'ing a critical je instruction to prevent unsafe page reuse.
This repository provides a Linux kernel module (LKM) that patches the CVE-2026-53359 (Januscape) vulnerability in KVM's shadow MMU via a text_poke hotfix. The exploit replaces a vulnerable 'je' instruction with NOPs to prevent a use-after-free (UAF) condition caused by improper gfn/role comparison in kvm_mmu_get_page().
This document provides a detailed technical analysis of CVE-2026-53359, a use-after-free vulnerability in the Linux KVM shadow paging mechanism. The flaw arises from a role mismatch in kvm_mmu_page structures when a PDE mapping is modified from outside the guest, leading to dangling rmap entries and potential exploitation during memslot deletion.
This repository provides a zero-downtime livepatch kernel module for CVE-2026-53359, a KVM shadow MMU use-after-free vulnerability. The exploit uses ftrace-based function hooking to patch the `kvm_mmu_get_child_sp` function, adding a role.word comparison to prevent unsafe reuse of shadow pages.
This repository provides a detailed technical analysis of CVE-2026-53359, a Use-After-Free vulnerability in Linux KVM's x86 Shadow MMU (Januscape). The writeup explains the root cause, attack vector, and impact of the flaw, which allows a malicious guest to corrupt host memory, but does not include exploit code.
This repository contains a functional kernel module exploit for CVE-2026-53359, a guest-to-host DoS vulnerability in KVM/x86 shadow MMU. The exploit triggers a use-after-free in `kvm_mmu_get_child_sp()` by causing a role-mismatch shadow-page reuse, leading to a host kernel panic. The PoC supports both Intel VMX/EPT and AMD SVM/NPT architectures.