CVE-2026-53359

ANALYSIS PENDING

KVM: x86: Fix shadow paging use-after-free due to unexpected role

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2026-53359. PoCs published by Unclecheng-li, chuzhongyun, xj2268-TA.

AI-analyzed exploit summary This repository contains a functional proof-of-concept (PoC) kernel module for CVE-2026-53359, a KVM/x86 shadow MMU use-after-free vulnerability. The exploit triggers a race condition in kvm_mmu_get_child_sp() by mapping the same physical page as both a 2MB huge PDE and a 4KB page table, leading to host DoS or potential RCE.

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free.

Exploits (8)

github WORKING POC 714 stars
by Unclecheng-li · cpoc
https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-53359 Januscape

This repository contains a functional proof-of-concept (PoC) kernel module for CVE-2026-53359, a KVM/x86 shadow MMU use-after-free vulnerability. The exploit triggers a race condition in kvm_mmu_get_child_sp() by mapping the same physical page as both a 2MB huge PDE and a 4KB page table, leading to host DoS or potential RCE.

Classification
Working Poc 98%
Attack Type
Dos
Complexity
Complex
Reliability
Racy
Target: Linux KVM/x86 (shadow MMU path, non-TDP MMU), kernel versions from 2.6.36 to 6.18
Auth required
Prerequisites: L1 guest root access · Host with nested virtualization enabled (Intel VMX or AMD SVM) · KVM guest environment (CONFIG_KVM_GUEST)
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
github WRITEUP 1 stars
by chuzhongyun · poc
https://github.com/chuzhongyun/CVE-2026-53359-Kernel-Fix

This repository provides a detailed technical walkthrough for upgrading the Linux Kernel to version 7.1.3 to remediate CVE-2026-53359, a use-after-free (UAF) vulnerability in KVM x86 Shadow MMU. The writeup includes root cause analysis, patch verification (commit 81ccda30b4e8), and step-by-step compilation/installation instructions for CentOS Stream 8.

Classification
Writeup 98%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (versions prior to 7.1.3), KVM x86 Shadow MMU
No auth needed
Prerequisites: Linux system with vulnerable kernel version · Root access for kernel compilation/installation · Development tools and dependencies for kernel build
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
nomisec WORKING POC
by xj2268-TA · poc
https://github.com/xj2268-TA/KVM-Januscape

This repository provides a Linux kernel module (LKM) that patches the CVE-2026-53359 (Januscape) vulnerability in KVM's shadow MMU via a text_poke hotfix. The exploit targets a use-after-free (UAF) in kvm_mmu_get_page() by NOP'ing a critical je instruction to prevent unsafe page reuse.

Classification
Working Poc 98%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel KVM (Intel/AMD x86 with nested virtualization enabled, versions from 2010-08 to 2026-07)
Auth required
Prerequisites: Root access on the host (to load kernel modules) · KVM module loaded with nested virtualization enabled · Target kernel must expose kallsyms (CONFIG_KALLSYMS=y) · Stop_machine capability for safe text_poke execution
mistral-large-3 · analyzed Jul 10, 2026 Full analysis →
nomisec WORKING POC
by xj2268-TA · poc
https://github.com/xj2268-TA/LVM-Januscape

This repository provides a Linux kernel module (LKM) that patches the CVE-2026-53359 (Januscape) vulnerability in KVM's shadow MMU via a text_poke hotfix. The exploit replaces a vulnerable 'je' instruction with NOPs to prevent a use-after-free (UAF) condition caused by improper gfn/role comparison in kvm_mmu_get_page().

Classification
Working Poc 98%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel KVM (nested virtualization enabled, Intel/AMD x86 systems)
Auth required
Prerequisites: Root access on the host (to load kernel module) · KVM module loaded with nested virtualization enabled · Affected kernel version (2010-2026) with vulnerable kvm_mmu_get_page() implementation
mistral-large-3 · analyzed Jul 10, 2026 Full analysis →
github WRITEUP
by HORKimhab · poc
https://github.com/HORKimhab/poc-cve-collection/tree/main/2026/53xxx/CVE-2026-53359.md

This document provides a detailed technical analysis of CVE-2026-53359, a use-after-free vulnerability in the Linux KVM shadow paging mechanism. The flaw arises from a role mismatch in kvm_mmu_page structures when a PDE mapping is modified from outside the guest, leading to dangling rmap entries and potential exploitation during memslot deletion.

Classification
Writeup 98%
Attack Type
Other
Complexity
Complex
Reliability
Racy
Target: Linux kernel (KVM x86 subsystem)
No auth needed
Prerequisites: Ability to modify PDE mappings from outside the guest · Privileged access to trigger memslot deletion or MMU operations (e.g., dirty logging, MMU notifier invalidation)
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
nomisec WORKING POC
by Aoripus-LTD · poc
https://github.com/Aoripus-LTD/Januscape-Hotfix

This repository provides a zero-downtime livepatch kernel module for CVE-2026-53359, a KVM shadow MMU use-after-free vulnerability. The exploit uses ftrace-based function hooking to patch the `kvm_mmu_get_child_sp` function, adding a role.word comparison to prevent unsafe reuse of shadow pages.

Classification
Working Poc 98%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (4.0–6.x) with KVM/x86 (Intel VMX/EPT or AMD SVM/NPT) and CONFIG_DYNAMIC_FTRACE=y
Auth required
Prerequisites: Root access to the target host · Kernel headers/devel packages installed · KVM module loaded · CONFIG_DYNAMIC_FTRACE=y and CONFIG_KALLSYMS_ALL=y · Compatible kernel version (4.0–6.x)
mistral-large-3 · analyzed Jul 07, 2026 Full analysis →
github WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-53359

This repository provides a detailed technical analysis of CVE-2026-53359, a Use-After-Free vulnerability in Linux KVM's x86 Shadow MMU (Januscape). The writeup explains the root cause, attack vector, and impact of the flaw, which allows a malicious guest to corrupt host memory, but does not include exploit code.

Classification
Writeup 98%
Attack Type
Other
Complexity
Complex
Reliability
Theoretical
Target: Linux Kernel KVM (x86 Shadow MMU)
No auth needed
Prerequisites: Vulnerable Linux KVM host with shadow paging enabled · Malicious guest VM with ability to modify page mappings · Nested virtualization or specific KVM configurations
mistral-large-3 · analyzed Jul 07, 2026 Full analysis →
github WORKING POC
by HORKimhab · cpoc
https://github.com/HORKimhab/CVE-2026-53359

This repository contains a functional kernel module exploit for CVE-2026-53359, a guest-to-host DoS vulnerability in KVM/x86 shadow MMU. The exploit triggers a use-after-free in `kvm_mmu_get_child_sp()` by causing a role-mismatch shadow-page reuse, leading to a host kernel panic. The PoC supports both Intel VMX/EPT and AMD SVM/NPT architectures.

Classification
Working Poc 99%
Attack Type
Dos
Complexity
Complex
Reliability
Reliable
Target: Linux kernel KVM/x86 (shadow MMU) before the patch for CVE-2026-53359, affecting both Intel and AMD architectures
No auth needed
Prerequisites: Guest access to a KVM virtual machine with nested virtualization enabled · Ability to load kernel modules in the guest · Target host must be using KVM shadow MMU (not TDP MMU) · Root privileges in the guest to load the module
mistral-large-3 · analyzed Jul 07, 2026 Full analysis →

Scores

EPSS 0.0018
EPSS Percentile 7.3%

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

Status published
Products (19)
linux/Kernel 2.6.36 - 6.1.177linux
linux/Kernel 6.13.0 - 6.18.38linux
linux/Kernel 6.19.0 - 7.1.3linux
linux/Kernel 6.2.0 - 6.6.144linux
linux/Kernel 6.7.0 - 6.12.95linux
Linux/Linux < 2.6.36
Linux/Linux 2.6.36
Linux/Linux 2032a93d66fa282ba0f2ea9152eeff9511fa9a96 - 1ae7d5a6db6c190ce183e3098ca0e0846e14d462
Linux/Linux 2032a93d66fa282ba0f2ea9152eeff9511fa9a96 - 2ad3afa40ac6aa340dada122f9abfa46c0a6eb35
Linux/Linux 2032a93d66fa282ba0f2ea9152eeff9511fa9a96 - 5e470998a23e4c3d89ed24e8172cb22747e61efa
... and 9 more
Published Jul 04, 2026
Tracked Since Jul 04, 2026