Google awarded $250,000 through its vulnerability rewards program for discovering a critical Linux kernel vulnerability that allows untrusted users to escape virtual machines and gain root privileges.
The vulnerability enables guest virtual machines to break out of their isolated environments and execute code with root-level access on the host system. This represents a severe security risk in cloud computing and virtualization infrastructure where VMs must remain isolated from one another.
Untrusted users—such as cloud tenants in multi-tenant environments—could exploit the flaw to compromise the underlying host system and potentially access other virtual machines or sensitive data. The vulnerability affects the Linux kernel's core isolation mechanisms that separate guest VMs from the hypervisor and host OS.
Google's vulnerability rewards program offers bounties for security researchers who responsibly disclose flaws in Google services and infrastructure. The $250,000 payout reflects the severity and exploitability of this particular vulnerability, placing it among the highest-value Linux kernel bugs discovered in recent years.
The discovery underscores ongoing security challenges in kernel development despite years of hardening efforts. VM escape vulnerabilities are particularly critical because they breach the fundamental security boundary that containerization and virtualization rely upon.
Google has not disclosed specific technical details of the vulnerability or which Linux kernel versions are affected, allowing time for patches to be developed and deployed before public disclosure. The company typically coordinates with the Linux kernel security team and affected vendors to ensure fixes are available before vulnerability details become public.
This discovery adds to a growing list of significant kernel vulnerabilities uncovered in recent years, including Spectre, Meltdown, and various privilege escalation flaws. Security researchers continue finding ways to breach kernel protections, highlighting the complexity of maintaining secure isolation in modern operating systems.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.
Vancouver Police Department has implemented a discreet button on its website that instantly closes the page and clears browser history when clicked. The feature is designed to help domestic violence survivors quickly hide their browsing activity.
Europe's digital identity wallet age verification system will only work on iOS and Android devices, excluding alternative mobile platforms. The technical specification has drawn criticism from privacy advocates and open-source developers.