Linux fixes critical flaw that allows virtual machines to escape in KVM

Emphasis Security

Two serious security flaws in the Linux kernel were (finally) fixed this week. THE first (Januscape) allowed an attacker who rented a virtual machine from cloud services to escape this limited environment and take full control of the physical server on which it was hosted.

In turn, and equally worrying, the second (GhostLock) it allowed a common user of the system to gain maximum privileges, becoming an administrator of the machine. Both they were hidden in the code more than 15 years ago.

Feature Januscape GhostLock
CVE CVE-2026-53359 CVE-2026-43499
Failure type Use-after-free (memory corruption) Use-after-free (memory corruption)
What affects KVM, the system that creates and manages virtual machines on Linux Code that organizes the processor task queue (futex priority inheritance)
Hidden time 16 years old 15 years
What an attacker can do Control the physical server from a rented virtual machine (RCE) or take down all virtual machines on the same server (DoS) Become system administrator (root) from a common account
What the attacker needs to have Root privileges within the virtual machine An account with limited rights on the system
Affected processors AMD and Intel
Who discovered Researcher Hyunwoo Kim Nebula Security team using Vega AI scanner
Amount paid by Google (through the kernelCTF Bug-Bounty program) US$250 thousand $92,337
Severity note 7.8 out of 10

The risk for cloud services

THE Januscape works within the KVMwhich is the program responsible for creating virtual machines within Linux. The problem lies in the part that translates memory addresses between the virtual machine and the physical server that hosts it, a process called memory emulation. Shadow MMU.

The researcher Hyunwoo Kim explained that the attack comes exclusively from within the virtual machine. An attacker who rented a single instance in a public cloud service could cause the physical server to crash, bringing down all other customers’ virtual machines that are on the same machine.

The other possibility is andexecute commands as physical server administratortaking control of the machine and all virtual machines hosted on it.

Kim published demo code that, when run inside the virtual machine, causes the physical server to crash.

He stated that he also has a code that completely escapes the virtual machine and gives full control over the server, but will only publish it in the very distant future.

The fault is not in QEMUanother program that also works with memory in virtualization. This means that the attack works even in clouds that set up their own virtualization environment, without using the default settings.

read more

  • NVIDIA open driver takes historic step and gains experimental support for DLSS on Linux
  • Linux finally fixes bug that limited 4K capture cards to 30 FPS
  • Valve works directly with NVIDIA to support SteamOS

How GhostLock Turned an Ordinary User into an Administrator

Matt Lucasresearcher and founder of RedEye Security, detailed that the GhostLock it’s in a part of the kernel that manages the processor’s task queue.

This system exists to prevent an urgent task from being stopped, waiting behind an unimportant task.

The problem appears at a very specific moment: when an operation reaches a dead end and needs to backtrack.

At that time, the cleaning that the system doeshappens at the wrong time and erases the record of the incorrect task. THE kernel it keeps holding a reference to a piece of memory that has already been erased and reused for something else. Relying on this old reference is a complete mistake, he explained. Lucas.

The team at Nebula Security used this error as a starting point and set up a sequence of steps to trick the kernel and make it execute commands as if it were the system administrator.

THE code in which the problem is was written in 2011 and, because it was widely used and rarely revised, the flaw went unnoticed all these years.

Finally, we emphasize that both flaws have already received official fixes in the Linux kernel. Who uses operating system You must check with the responsible distribution whether the corresponding update is already available for the installed version.

And there? What did you think about the controversial subject? Share your opinions and continue following Adrenaline!

Source: arstechnica

Related Content
Disclosure of the Mini40 laptop with Linux

Being created step by step

MagicX reveals the Mini40, new Linux-based retro emulation laptop.

Source: www.adrenaline.com.br
Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × three =