CVE-2026-46316: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Linux kernel's KVM arm64 virtual interrupt controller (vGIC-ITS) translation cache invalidation path. The flaw is reachable locally without any authentication and allows concurrent cache-drain operations to drop the same reference more than once, freeing a kernel object while an interrupt table entry (ITE) still points to it. Successful exploitation gives an attacker full read, write, and execution control over the kernel. Patched-image rebuilds at versions 6.12.93 and 6.18.35 (and the corresponding upstream commit hashes) are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and CI/CD pipelines, including custom-built images that carry an affected kernel version.
AvailableHarborGuard scores this CVE at 9.3 CRITICAL (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to route alerts to the appropriate team inbox inside each customer organization.
AvailableA patched-image rebuild at the fix versions (6.12.93, 6.18.35, or the pinned upstream commits) becomes available through HarborGuard once the upstream fix is confirmed; for customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required.
- AuthenticationNot required
No account credentials or prior authentication are needed to reach the vulnerable code path.
- Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any other user or process.
- Attack complexityDetail
The exploit is reliable and condition-free once local access is established; no race-condition timing or special memory layout is required by the attacker (the race is internal to the kernel's own concurrent invalidation paths).
Blast Radius
- The attacker gains arbitrary kernel read access, exposing cryptographic keys, session tokens, and any data held in kernel memory.
- The attacker gains arbitrary kernel write access, allowing modification of security policies, process credentials, and persisted data structures.
- The attacker achieves kernel-mode code execution, enabling full host compromise including escape from any guest VM or container running on the affected host.
- The use-after-free can also corrupt kernel memory in ways that crash the host, taking down all workloads running on that machine.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-46316 is active across all customer environments with no configuration required, matching affected kernel versions in both pulled and custom-built images. For environments running an affected Linux kernel version, a patched-image rebuild at 6.12.93, 6.18.35, or the designated upstream commits is made available as soon as the fix is confirmed in HarborGuard's ingestion pipeline. For customers who opt into auto-remediation, HarborGuard can rebuild the image, execute the configured regression-test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where immediate kernel upgrade is not possible, HarborGuard recommends applying network-policy isolation to limit lateral movement from any compromised host, and flagging the affected nodes for priority scheduling of the kernel update through your change-management process.
Fix available
- Linux / Linux< b7b72e88046328c9fdc638fe887d4240257dd5dc (from 8201d1028caa4fae88e222c4e8cf541fdf45b821) · < 2bbc395e81bd29c543a0529a678327e932a7ec69 (from 8201d1028caa4fae88e222c4e8cf541fdf45b821) · < 9121f4605ab94969f62d1b5714ca3c6c69bd202f (from 8201d1028caa4fae88e222c4e8cf541fdf45b821) · < 13031fb6b8357fbbcded2a7f4cba73e4781ee594 (from 8201d1028caa4fae88e222c4e8cf541fdf45b821)
- Linux / Linux6.10Fixed in 0, 6.12.93, 6.18.35, 7.0.12, 7.1-rc7
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H