{"id":91,"date":"2026-07-08T14:00:00","date_gmt":"2026-07-08T14:00:00","guid":{"rendered":"https:\/\/backendside.com\/blog\/2026\/07\/08\/januscape-cve-2026-53359-distros-still-no-patched-kernel\/"},"modified":"2026-07-08T16:41:47","modified_gmt":"2026-07-08T16:41:47","slug":"januscape-cve-2026-53359-distros-still-no-patched-kernel","status":"publish","type":"post","link":"https:\/\/backendside.com\/blog\/2026\/07\/08\/januscape-cve-2026-53359-distros-still-no-patched-kernel\/","title":{"rendered":"48 Hours After Januscape, the Big Distros Still Haven&#8217;t Shipped a Patched Kernel"},"content":{"rendered":"<p class=\"lead\">On 6 July 2026 the industry got the kind of vulnerability that is supposed to trigger an all-hands response: <strong>Januscape (CVE-2026-53359)<\/strong>, a guest-to-host escape in KVM that works on both Intel and AMD, sitting in the Linux kernel for sixteen years. Forty-eight hours later, if you run Ubuntu, Debian stable, or Red Hat Enterprise Linux, you still cannot <code>apt upgrade<\/code> or <code>dnf upgrade<\/code> your way to a fixed kernel from your vendor&rsquo;s main channel. That is not a good look, and it deserves to be said plainly.<\/p>\n<p>We covered <a href=\"https:\/\/backendside.com\/blog\/2026\/07\/08\/cve-2026-53359-januscape-kvm-vm-escape-fixes\/\">what Januscape is and how to mitigate it<\/a> in a separate post. This one is about the response &mdash; or the lack of one.<\/p>\n<h2>This was not a surprise drop<\/h2>\n<p>The usual defence when a distro is slow is &ldquo;they only just found out.&rdquo; That does not apply here. The upstream fix landed in the mainline kernel on <strong>19 June 2026<\/strong> (commit <code>81ccda30b4e8<\/code>). Public disclosure followed on <strong>6 July<\/strong>. That is more than two weeks in which every major vendor&rsquo;s security team could see the patch, understand the severity, and stage a backport &mdash; followed by two more days of public, sky-is-falling pressure.<\/p>\n<p>A use-after-free that lets a guest escape onto the host is close to a worst-case bug for anyone running multi-tenant virtualization. The people most exposed &mdash; cloud providers, hosting companies, anyone renting out VMs &mdash; are exactly the people who cannot simply &ldquo;disable nested virtualization and move on.&rdquo; They needed a kernel. Two days after disclosure, the biggest names still had not handed them one.<\/p>\n<h2>Where the major distros actually stand<\/h2>\n<p>Here is the state of play as reported on 7&ndash;8 July 2026. Always confirm against your vendor&rsquo;s live advisory before you act &mdash; this is a moving target &mdash; but the pattern is not flattering.<\/p>\n<table style=\"width:100%;border-collapse:collapse;margin:1rem 0;font-size:.9rem;\">\n<thead>\n<tr style=\"background:#f2f1ef;\">\n<th style=\"text-align:left;padding:.6rem .8rem;border:1px solid #e4e2de;\">Distribution \/ channel<\/th>\n<th style=\"text-align:left;padding:.6rem .8rem;border:1px solid #e4e2de;\">Status (48h after disclosure)<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Mainline \/ kernel.org stable<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">&#9989; Fixed &mdash; 6.1.177, 6.6.144, 6.12.95, 6.18.38, 7.1.3<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\"><strong>Ubuntu<\/strong> (all releases)<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">&#10060; <strong>Vulnerable<\/strong> &mdash; no USN, no released kernel; livepatches still in testing<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\"><strong>Red Hat Enterprise Linux<\/strong><\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">&#9888;&#65039; <strong>Pending<\/strong> &mdash; fixes in a testing feed, nothing in the main channel<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">AlmaLinux 10 (RHEL rebuild)<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">&#9989; Fixed &mdash; patched kernel already in the main feed<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\"><strong>Debian<\/strong> trixie \/ sid<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">&#9989; Fixed &mdash; 6.12.95-1 \/ 7.1.3-1<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\"><strong>Debian<\/strong> bookworm (old stable line)<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">&#10060; <strong>Vulnerable<\/strong> &mdash; still on 6.1.176-1, no fixed build in security<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Proxmox VE<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">&#10060; No fixed kernel yet &mdash; mitigation is to disable nested KVM<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>The most embarrassing detail<\/h2>\n<p>Look at the Red Hat line, then look at the AlmaLinux line. <strong>AlmaLinux &mdash; a free, community rebuild of RHEL &mdash; shipped a patched kernel to its main feed before Red Hat did.<\/strong> A downstream project whose entire job is to recompile Red Hat&rsquo;s sources beat the vendor those sources come from. If a volunteer-driven rebuild can turn a public commit into a released, installable kernel inside the window, the &ldquo;enterprise-grade QA takes time&rdquo; explanation gets a lot harder to accept.<\/p>\n<p>Debian&rsquo;s split is instructive too. Its testing and unstable lines picked up the fix (6.12.95-1 and 7.1.3-1), while the conservative bookworm line &mdash; the one a lot of production servers actually run &mdash; was still shipping a vulnerable 6.1.176-1. The users who most value Debian&rsquo;s stability are the ones left waiting the longest.<\/p>\n<h2>And it is worse than a slow single patch &mdash; because it is two<\/h2>\n<p>Here is the part that turns a delay into a genuine hazard. Januscape is <strong>not one bug<\/strong>. The complete upstream fix is <em>two<\/em> commits closing <em>two<\/em> CVEs in the same corner of the KVM code:<\/p>\n<ul>\n<li><strong>CVE-2026-53359<\/strong> &mdash; commit <code>81ccda30b4e8<\/code><\/li>\n<li><strong>CVE-2026-46113<\/strong> &mdash; commit <code>0cb2af2ea66a<\/code><\/li>\n<\/ul>\n<p>A kernel that carries only the first commit is <strong>still exploitable<\/strong> through the second. And because most administrators verify remediation by looking up a single CVE ID, it is entirely possible to check &ldquo;CVE-2026-53359 &mdash; fixed,&rdquo; tick the box, and remain vulnerable. A rushed, partial backport that lands one commit and not the other is arguably worse than shipping nothing, because it manufactures false confidence. When the eventual vendor kernels do land, <strong>confirm both commits are present<\/strong>, not just the headline CVE.<\/p>\n<h2>What you should actually do right now<\/h2>\n<p>Frustration aside, waiting on your vendor is not a security posture. While the big distros catch up:<\/p>\n<ul>\n<li><strong>Disable nested virtualization<\/strong> on any host that does not need it &mdash; it removes the trigger condition. Set <code>kvm_intel nested=0<\/code> (or <code>kvm_amd nested=0<\/code>) and reload the module or reboot.<\/li>\n<li><strong>Isolate untrusted guests.<\/strong> The attacker here is the guest. Multi-tenant and customer-facing hosts are the priority; do not run untrusted workloads on an unpatched hypervisor.<\/li>\n<li><strong>Consider a livepatch service or a mainline\/vendor testing kernel<\/strong> if your risk justifies it &mdash; but validate it in staging first, and make sure it closes <em>both<\/em> CVEs.<\/li>\n<li><strong>Live-migrate<\/strong> guests off a node so you can patch and reboot it without downtime, the moment a fixed kernel is available for your distro.<\/li>\n<li><strong>Track your vendor&rsquo;s advisory page, not a news headline<\/strong> &mdash; and re-check, because &ldquo;pending&rdquo; today can become &ldquo;released&rdquo; tomorrow.<\/li>\n<\/ul>\n<h2>The bigger point<\/h2>\n<p>Distributions ask for &mdash; and largely deserve &mdash; trust. The bargain is that when something catches fire, the people packaging your kernel move fast on your behalf. Januscape is the exact scenario that bargain exists for: a critical, weaponized, publicly-known VM escape with an upstream fix already in hand. Two weeks of lead time before disclosure, then forty-eight hours of open alarm, and the answer from the largest vendors was a testing feed and an empty changelog.<\/p>\n<p>The kernel developers did their job &mdash; the fix was written, reviewed and merged. Community rebuilds and Debian&rsquo;s fast lanes did theirs. The gap is in the last mile: turning a known-good commit into a released, installable kernel for the paying enterprise customers who are most exposed. On a bug this severe, &ldquo;soon&rdquo; is not an SLA. Ship the kernel.<\/p>\n<p style=\"font-size:.82rem;color:#6b6a66;\">Patch-status details reflect public reporting on 7&ndash;8 July 2026 and change quickly. Verify against your distribution&rsquo;s official security advisory before making remediation decisions. This post is commentary on release timing, not a claim about any vendor&rsquo;s internal process.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Januscape (CVE-2026-53359) is a guest-to-host VM escape that was fixed upstream on 19 June and disclosed publicly on 6 July. Two days later, Ubuntu has shipped nothing, Red Hat is stuck in a testing feed that a downstream rebuild already beat, and Debian stable is still vulnerable. For a VM-escape bug, that is not good enough \u2014 and it is made worse by the fact that Januscape is really two CVEs, not one.<\/p>\n","protected":false},"author":1,"featured_media":95,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,5],"tags":[],"class_list":["post-91","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts\/91","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/comments?post=91"}],"version-history":[{"count":1,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts\/91\/revisions"}],"predecessor-version":[{"id":96,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts\/91\/revisions\/96"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/media\/95"}],"wp:attachment":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/media?parent=91"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/categories?post=91"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/tags?post=91"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}