ColossusCloud is fully patched against the Januscape KVM vulnerability

By ColossusCloud's Team

A serious KVM security issue was disclosed in July 2026. It is tracked as CVE-2026-53359, and you may have seen it mentioned online as Januscape.

The short version: ColossusCloud is patched against it. The longer version is still worth explaining, because this one involved nested virtualization, and we do support nested virtualization on our VPS platform.

What Januscape is

Januscape is a vulnerability in the x86 KVM code inside the Linux kernel. KVM is the virtualization layer that runs our VPS platform. The bug sits in a part of KVM that handles shadow memory-management structures, especially when nested virtualization is exposed to a guest.

Nested virtualization is the feature that lets a VPS run virtualization-aware workloads inside itself. Customers use it for lab environments, hypervisor testing, development platforms, Windows virtualization features, and other advanced VPS use cases.

That made this vulnerability relevant to us. We support nested virtualization because it is useful, but it also means we treat KVM kernel security updates as urgent infrastructure work.

Public reports describe Januscape as a guest-to-host isolation issue on x86 KVM hosts when nested virtualization is available. The NVD record for CVE-2026-53359 describes the underlying bug as a KVM x86 shadow-paging use-after-free. The upstream Linux fix is tied to Linux kernel commit 81ccda30b4e8, with vendor and stable-kernel backports available for supported kernel lines.

What we did

We patched the ColossusCloud virtualization layer across our production KVM hypervisors.

That means the host side of our VPS platform now includes the fix for CVE-2026-53359, either through the upstream kernel change or the equivalent vendor backport for the kernel branch in use on each host.

We also reviewed the exposure path because nested virtualization is enabled on our platform. The right fix was not a warning banner, a vague “we are monitoring this” message, or disabling a useful feature and calling it done. The right fix was to patch the host kernel layer that provides KVM isolation.

That work is complete.

No customer downtime during the patching

This is the part that matters just as much as the patch itself: no customer virtual servers experienced downtime during this process.

That is because our VPS platform uses live migration, and that is possible because virtual server disks live on Ceph distributed storage instead of being tied to one physical hypervisor. We could move running VPS instances away from hosts while maintenance happened, patch the host layer, and keep customer workloads online.

Ceph does a lot of quiet work in the background. Most days, customers just experience it as reliable storage. During work like this, it also lets us patch infrastructure without turning a security update into a customer outage.

Do customers need to do anything?

No platform-side action is required from customers.

Your VPS may still need normal operating-system updates inside the guest, especially if you run your own virtualization software inside it. But the ColossusCloud host layer that provides KVM isolation has already been patched.

If you run a nested virtualization stack inside your VPS, such as a test hypervisor or lab environment, you should still keep that software current. That is separate from the ColossusCloud host patch.

Why we are posting about it

Most kernel security work is invisible when it goes well. That is the point. Hosts get patched, workloads keep running, and customers never need to learn the names of obscure kernel functions.

Januscape is different because it touches the boundary customers care about most: the isolation between a VPS and the host running it. It also relates to nested virtualization, a feature we intentionally make available on our platform.

So we wanted to be direct:

  • ColossusCloud uses KVM for VPS virtualization.
  • ColossusCloud supports nested virtualization.
  • CVE-2026-53359 was relevant enough to treat as urgent.
  • Our KVM host platform is fully patched against it.
  • Live migration on Ceph let us complete the work without customer VPS downtime.

Security updates are part of running a VPS platform responsibly. This one mattered, and it has been handled.

Categories: