iximiuz on Januscape and the limits of microVM safety claims
Useful corrective to simplistic microVMs-are-always-safer narratives, because the real boundary depends on what kernel and hardware virtualization surfaces you expose.
Logged at IST: 2026-07-14 11:05 IST
What it is: iximiuz warning that VMs and microVMs exposing /dev/kvm to untrusted guests were hit by the Januscape guest-to-host breakout class
Gist: The key update is that KVM-based isolation is not a free safety upgrade over containers if you hand untrusted guests nested virtualization. The disclosed Januscape bug is a guest-to-host KVM/x86 escape affecting systems that accept untrusted guests and expose nested virt, with mitigations including disabling nested virtualization until downstream kernels catch up.
Newsletter angle: Useful corrective to simplistic "microVMs are always safer" narratives, because the real boundary depends on what kernel and hardware virtualization surfaces you expose.
Supporting source: Canonical also published mitigation guidance: https://canonical.com/blog/januscape-linux-vulnerability-mitigations-available