Google pays $250K for Linux KVM vulnerability allowing guest VM escapes
Google pays $250K for a 16-year-old Linux KVM vulnerability allowing untrusted VMs to gain root access to host machines.

A Linux vulnerability that allows untrusted virtual machines to gain root access to host machines is one of two high-severity flaws to surface this week in the open source operating system. The vulnerability resides in KVM, which is a virtual machine app included in the kernel of many Linux distributions. The vulnerability, tracked as CVE-2026-53359, allows guest virtual machines—such as those used in cloud platforms to isolate one user’s instance from the host OS and other user instances—to break out of that container.
The vulnerability affects KVM running on both AMD and Intel processors. It exploits bugs residing in the KVM guest-side, the portion of the VM that consists of only resources like the OS or drivers present in the guest VM, rather than resources present on the host machine. The threat went unnoticed in the Linux kernel for 16 years.
Google paid a $250,000 reward for the vulnerability, highlighting its severity. The bug was discovered and reported through the Google Zero program, which focuses on identifying critical vulnerabilities in widely used software. Why this matters: The discovery of this long-standing vulnerability in KVM underscores the importance of continuously monitoring and securing even the most fundamental components of open-source software.
For developers and businesses relying on Linux and KVM for their infrastructure, this incident serves as a stark reminder of the potential risks associated with virtualization technologies. The fact that the vulnerability went unnoticed for 16 years also raises questions about the effectiveness of current vulnerability reporting and patching processes. As cloud computing continues to grow, ensuring the security and isolation of virtual machines will be crucial, and incidents like this highlight the need for ongoing investment in security research and bug bounty programs.
The impact on consumers will largely be indirect, but it may lead to increased scrutiny and more robust security measures from cloud service providers.
Source: Ars Technica