Analysis updated 2026-05-18
Confirm whether a cloud host's arm64 kernel has the relevant security patch applied.
Study how a real world virtual machine escape vulnerability was discovered and exploited.
Use the proof of concept as a reference when researching similar kernel-level virtualization bugs.
| v4bel/itscape | nirvanaon/spotifyc2 | chaelsoo/hollow | |
|---|---|---|---|
| Stars | 91 | 98 | 80 |
| Language | C | C | C |
| Setup difficulty | hard | moderate | moderate |
| Complexity | 5/5 | 3/5 | 3/5 |
| Audience | researcher | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires building a custom Linux kernel and running it under QEMU with specific kconfig and tooling.
ITScape is a security research project that documents and demonstrates a serious bug in KVM, the technology that lets a single physical computer run many separate virtual machines at once. Cloud providers use KVM to give different customers their own isolated virtual servers on shared hardware. This project shows how a flaw in that isolation, specifically in the arm64 version of KVM, could let someone inside one of those virtual machines break out and run commands directly on the underlying host computer with full administrator level access. The bug lives in a part of KVM called vGIC-ITS, which handles how interrupts (signals that tell a computer's processor to pause and handle something urgent) are managed for virtual machines on arm64 hardware, the architecture used in many phones, some laptops, and a growing share of cloud servers. The flaw is a race condition, meaning it depends on two operations happening in an unexpected order or timing. Because the bug sits inside the Linux kernel itself rather than in the separate QEMU software that usually handles virtual machine emulation, it does not depend on QEMU at all, and it gives an attacker host level kernel privileges rather than the lower level access a QEMU process would normally have. The repository includes a proof of concept, a working demonstration that a person inside a guest virtual machine can trigger the bug and create a file on the host computer as proof of the escape. This proof of concept runs inside a QEMU emulated test environment for safety and is built on top of existing Linux kernel testing tools. It is described as a research demonstration rather than a fully weaponized attack tool. Turning it into something usable against a real cloud environment would still require significant additional work tailored to that environment. The project explains which kernel versions are affected, notes that the issue was reported responsibly and patched before publication, and states plainly that it only affects arm64 systems running KVM, not other processor types. It also warns that the code should only be used on systems the reader is authorized to test.
A documented security bug that let someone inside a virtual machine on arm64 KVM break out and gain root control of the host computer.
Mainly C. The stack also includes C, Linux kernel, KVM.
No license information is provided in the README.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.