Google Pays $250K for Linux Vulnerability Allowing Guest VM Escapes

Researchers disclosed two high-severity Linux kernel vulnerabilities that allow untrusted users to escalate privileges to root. One flaw, named Januscape (CVE-2026-53359), affects KVM virtualization and enables guest virtual machines to escape containment and execute code on the host, while the other, GhostLock (CVE-2026-43499), is a use-after-free bug in the futex priority-inheritance code enabling local root escalation. Google awarded $250,000 and $92,337 through its bug bounty program for these vulnerabilities, which have now been patched in the Linux kernel.

https://arstechnica.com/security/2026/07/high-severity-guest-vm-escape-is-1-of-2-linux-vulnerabilities-to-surface-this-week/

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top