The entire business of shared hosting and public cloud rests on one assumption: the wall between tenants holds. Your VPS cannot reach your neighbor’s, and an ordinary user on a shared box cannot become root. In the first week of July 2026 the Linux kernel gave up two separate flaws that attack exactly those two walls, and vendors shipped fixes for both on the same day. Januscape (CVE-2026-53359) lets an attacker who controls a guest virtual machine escape to the host and run code as root, taking every other tenant on that machine with it. Bad Epoll (CVE-2026-46242) lets any unprivileged local user on a Linux system escalate to root, with a proof-of-concept its author puts at roughly 99 percent reliability. Neither is theoretical, both were demonstrated in Google’s kernel bug-bounty arenas, and for anyone who runs or rents multi-tenant infrastructure they are not two abstract CVEs but a direct hit on the guarantee the service is sold on.

  • Januscape (CVE-2026-53359) is a use-after-free in KVM’s shadow paging on x86. A guest with root can break out to the host and run commands as root, then take over or crash every co-tenant VM on that hardware. It affects both Intel and AMD.
  • The bug is roughly 16 years old. The vulnerable code has been present since Linux 2.6.36 in August 2010. The fix was merged into mainline in June 2026 (commit 81ccda30b4e8).
  • Nested virtualization is the trap. Even hosts using hardware EPT or NPT fall back to the legacy shadow MMU where the bug lives once a guest runs its own nested VMs, which is common in CI, sandboxing and cloud-in-cloud setups.
  • Bad Epoll (CVE-2026-46242) is a use-after-free race in the kernel’s eventpoll subsystem. Any local unprivileged user can reach root. It carries a CVSS v3.1 score of 7.8 (High) and is classified CWE-416.
  • Bad Epoll reaches beyond servers. It also affects Android, and can be triggered from inside Chrome’s isolated renderer, meaning it can be chained with a browser bug to escape the sandbox. The public exploit is reported at around 99 percent reliability.
  • Neither is known to be exploited in the wild yet. Bad Epoll is not on CISA’s Known Exploited Vulnerabilities list; for Januscape, CISA’s July 8, 2026 assessment records a public proof-of-concept and a “total” technical impact.
  • Patches are out. AlmaLinux shipped fixed kernels on July 6, 2026: 8, 9 and 10 for Januscape, and 9 and 10 for Bad Epoll. The only real mitigation for both is a patched kernel and a reboot.

Januscape: A 16-Year-Old Hole in the Wall Between Tenants

Virtualization is what makes multi-tenant hosting economical. A provider puts many customers’ virtual machines on one physical host and relies on the hypervisor, on Linux this is usually KVM, to keep each guest sealed inside its own box. Januscape breaks that seal. The official kernel description is blunt about the class of bug: it fixes a “shadow paging use-after-free due to unexpected role.” In plain terms, KVM decided whether it could reuse a memory page by looking only at the page’s address and not at what type of page it was. Because two different pages can share an address at different moments, KVM would sometimes grab the wrong one after it had already been freed, and an attacker inside the guest can steer that mistake into running their own code in the host kernel.

The detail that makes this dangerous in practice is nested virtualization. Modern CPUs have hardware that keeps guest and host memory separate cheaply, Intel calls it EPT and AMD calls it NPT, and most hosts use it by default, which sidesteps the buggy code path entirely. But the moment a guest starts running virtual machines of its own, KVM drops back to the older software shadow MMU, and that is precisely where Januscape lives. Nested virtualization is not exotic: it shows up in continuous-integration runners, in security sandboxes, and in any cloud-inside-a-cloud arrangement. On a multi-tenant public cloud, the researcher’s scenario is simply to spin up an instance, trigger the bug, and land as root on the host, from where every other customer’s VM on that machine is exposed. The flaw was demonstrated by security researcher Hyunwoo Kim, who goes by v4bel, as a zero-day in Google’s kvmCTF program. He published a proof-of-concept that panics the host kernel, which is a denial-of-service on its own, and withheld the full guest-to-host code. The National Vulnerability Database had not assigned a CVSS score as of July 11, 2026, but the impact does not need a number to be understood: guest root becomes host root, on hardware from both major vendors, using code that has been shipping since 2010.

Bad Epoll: One Ordinary User, One Race, Root

Where Januscape attacks the wall between virtual machines, Bad Epoll attacks the wall between users on a single system, and that makes it the more universal problem. The vulnerability is a use-after-free driven by a race condition in the kernel’s eventpoll subsystem, the machinery behind the widely used epoll interface. During cleanup in the kernel function ep_remove(), the code clears a pointer under one lock but keeps operating on the same file object inside the critical section, so two cleanup paths racing each other can leave the kernel using memory that has already been freed. An attacker who wins that race controls freed kernel memory, and from there escalates from an ordinary account to root. It carries a CVSS v3.1 base score of 7.8 (High) with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and the public exploit is reported to succeed roughly 99 percent of the time.

The reason this matters to hosts specifically is the local-attacker model. Shared hosting, managed WordPress, CI systems and any environment where customers get a shell or can run their own code all start from the position that a local unprivileged user is expected and must stay contained. Bad Epoll removes that containment. It also does not stop at servers: the flaw affects Android, and it can be triggered from within Chrome’s isolated renderer process, which means an attacker who already has code execution in a browser tab through a separate flaw could chain Bad Epoll to break all the way out of the sandbox. As of publication there is no sign it has been used in real attacks, it is not on CISA’s Known Exploited Vulnerabilities list, and the only working code is the kernelCTF proof-of-concept, but the researcher’s own write-up is clear that there is no workaround other than patching.

Why This Lands Harder on Hosts Than on Laptops

A single-user laptop can shrug at a local privilege-escalation bug, because the person at the keyboard is already the person who would gain root. Multi-tenant infrastructure has the opposite risk profile. The whole product is the promise that untrusted parties can share hardware safely, so a bug that lets one tenant reach another, or one user reach root, is not an edge case for a hosting provider; it is a breach of the core contract. Januscape and Bad Epoll are a matched pair on that front. Januscape is the horizontal break, guest to host to co-tenant. Bad Epoll is the vertical break, user to root, and because it can be reached from a browser renderer it is also a live concern for anyone running managed application platforms where customer code executes. Providers on Enterprise Linux rebuilds such as AlmaLinux, a common base under hosting control panels, should also note the asymmetry in exposure: Januscape reaches back to AlmaLinux 8, 9 and 10, while Bad Epoll, which entered the kernel more recently, affects the newer 9 and 10 lines but not 8. The lesson for capacity planning is that “we run an older, stable kernel” is not automatically safer, because these two bugs were introduced sixteen years apart and one of them predates most of the fleet it now threatens.

What to Patch, and When

Both flaws are fixed, and for both the remedy is the same shape: install the patched kernel your distribution ships and reboot into it. There is no configuration toggle that closes either hole while the vulnerable kernel is still running. On the mainline kernel, the KVM fix for Januscape was merged in June 2026 and the eventpoll fix for Bad Epoll landed in the stable trees, with the fixed versions recorded in the CVE entries. On AlmaLinux, which many hosting stacks track closely, the security update published on July 6, 2026 gives concrete targets: AlmaLinux 8 is fixed in kernel-4.18.0-553.141.2.el8_10 (Januscape only)AlmaLinux 9 in kernel-5.14.0-687.23.1.el9_8 (both flaws), and AlmaLinux 10 in kernel-6.12.0-211.31.1.el10_2 (both flaws). The practical priority order writes itself. If you run multi-tenant virtualization with nested guests enabled, Januscape is the fire; treat it as an emergency reboot cycle rather than a routine patch window. If you run any environment where customers or their code hold a local shell, Bad Epoll deserves the same urgency, because a High-severity local-to-root with a near-perfect public exploit is exactly the kind of bug that gets weaponized quietly. For everyone else the message is simpler: the wall your service is built on had two holes this month, both are now patched upstream, and the only thing between your fleet and the fix is a reboot you have not scheduled yet.

How We Verified This

The CVE identifiers, the use-after-free mechanisms and the affected-version ranges are taken from the National Vulnerability Database entries for CVE-2026-53359 and CVE-2026-46242, retrieved July 11, 2026, including the CVSS v3.1 score and vector of 7.8 (High) for Bad Epoll and NVD’s note that Januscape had not yet been assigned a CVSS score. The KVM shadow-paging and nested-virtualization mechanism, the 2.6.36 (2010) origin, the June 2026 mainline merge (commit 81ccda30b4e8), the kvmCTF demonstration and the researcher attribution to Hyunwoo Kim (v4bel) are drawn from Bleeping Computer’s and The Hacker News’s reporting and the AlmaLinux advisory. The eventpoll race detail, the Android and Chrome-renderer exposure, the roughly 99 percent exploit reliability and the “no workaround but patching” statement are from The Hacker News’s Bad Epoll coverage. The patched AlmaLinux kernel versions and the July 6, 2026 publication date are from AlmaLinux’s own blog post, which also links the upstream CVE record, kernel commit and public proof-of-concept. Exploitation status (not on CISA’s KEV list; CISA’s July 8, 2026 proof-of-concept and “total” impact assessment for Januscape) reflects those sources as of publication and may change.