Google pays $250K for Linux vulnerability allowing guest VM escapes
摘要
谷歌为一项允许虚拟机逃逸的Linux高危漏洞支付了25万美元赏金。该漏洞编号CVE-2026-53359,存在于Linux内核的KVM组件中,允许不受信任的客户虚拟机获取宿主机root权限,对云平台构成严重威胁。该漏洞影响AMD和Intel处理器上的KVM,源于客户端的KVM驱动bug,已在Linux内核中存在16年未被发现。
A Linux vulnerability that allows untrusted virtual machines to gain root access to host machines is one of two high-severity flaws to surface this week in the open source operating system.
The vulnerability resides in KVM, which is, in essence, a virtual machine app included in the kernel of many Linux distributions. The vulnerability, tracked as CVE-2026-53359, allows guest virtual machines—such as those used in cloud platforms to isolate one user’s instance from the host OS and other user instances—to break out of that container.
Januscape: A threat to cloud platforms
The vulnerability affects KVM running on both AMD and Intel processors. It exploits bugs residing in the KVM guest-side, the portion of the VM that consists of only resources like the OS or drivers present in the guest VM, rather than resources present on the host machine. The threat went unnoticed in the Linux kernel for 16 years.
转载信息
评论 (0)
暂无评论,来留下第一条评论吧