Skip to main content
Log in Sign up FREE!

Our ColossusCloud VPS platform is patched against Januscape

By ServerPoint's Team ·

If you follow virtualization security news, you may have seen a KVM issue called Januscape. It is tracked as CVE-2026-53359, and it got attention because it affects nested virtualization on x86 KVM hosts.

ServerPoint VPS services run on the ColossusCloud platform. That platform uses KVM, and nested virtualization is enabled for customers who need it. So this was not one of those security stories we could casually file away for later. We treated it as urgent host-platform work.

The important bit: the ColossusCloud platform behind ServerPoint VPS services is patched against Januscape.

What the bug affected

Januscape is a Linux kernel KVM vulnerability. More specifically, it is in the x86 KVM shadow memory-management code. The public writeups describe it as a guest-to-host isolation problem when nested virtualization is available.

That matters in VPS hosting because a customer usually has administrator or root access inside their own virtual server. That is normal. It is also why the isolation boundary between the guest VPS and the host hypervisor matters so much.

The NVD entry for CVE-2026-53359 describes the issue as a KVM x86 shadow-paging use-after-free. The upstream fix is tied to Linux kernel commit 81ccda30b4e8, with stable-kernel and vendor backports available for supported kernel branches.

What we patched

We patched the host KVM layer that runs the ColossusCloud VPS platform.

Depending on the host kernel branch, that means the upstream fix itself or the equivalent backported fix from the kernel vendor. Either way, the result is the same for our customers: the host side of the ColossusCloud platform includes the Januscape fix.

We did not just disable nested virtualization and call that a security strategy. Nested virtualization is useful for labs, development, Windows virtualization features, and customers testing their own hypervisor stacks. If we can keep the feature and patch the underlying host layer properly, that is the better answer.

No VPS downtime during the work

No customer virtual servers experienced downtime during this patching process.

That is one of the reasons the ColossusCloud platform is built on Ceph distributed storage. Your virtual server disk is not pinned to one local drive inside one physical host. It lives on Ceph, which means we can use live migration to move running VPS instances away from a hypervisor while maintenance happens.

So during this update, we could move workloads, patch hosts, and keep customer virtual servers running. From the customer side, there was nothing to schedule and nothing to reboot for this specific host-layer patch.

What customers need to do

For the ServerPoint VPS platform side, nothing.

Your own VPS still needs normal operating-system updates, just like always. If you run a nested virtualization stack inside your VPS, keep that software updated too. But the ColossusCloud host layer that provides KVM isolation for ServerPoint VPS services has already been patched for CVE-2026-53359.

Why we are saying this plainly

Security updates are usually boring when handled correctly. We prefer boring. Patch the hosts, keep workloads online, move on.

This one deserves a short note because it touches nested virtualization and KVM isolation, two things that matter directly to VPS customers. So here it is plainly: the patch work is done, nested virtualization remains available, and our Ceph-backed live migration kept customer virtual servers online while we handled it.