HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46317Published Modified CNA Linux

CVE-2026-46317: KVM: arm64: Reassign nested_mmus array behind mmu_lock

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Reassign nested_mmus array behind mmu_lock kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array. Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Linux kernel's KVM arm64 hypervisor component allows a local attacker with a low-privilege account to corrupt memory by triggering a race condition between the MMU notifier path and the nested MMU array reallocation in kvm_vcpu_init_nested(). The flaw is reachable locally and requires no user interaction. Successful exploitation gives an attacker full read, write, and crash capability over the affected host or guest environment. Patched-image rebuilds at the fix versions (6.18.35, 7.0.12, and 7.1-rc7) are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built kernel or base images that bundle an affected Linux version.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 HIGH (v3.1) and is capable of weighting that score against each environment's compliance policy to determine priority; routing to the appropriate team inbox within the customer org is handled automatically based on those policy rules.

Available
Patch

A patched-image rebuild at the fix versions (6.18.35, 7.0.12, 7.1-rc7) becomes available on HarborGuard for any image found to carry an affected kernel package. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against the affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network exposure is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the vulnerable KVM code path.

  • Victim interactionNot required

    No victim action is needed; the attacker can trigger the race condition independently.

  • Attack complexityDetail

    Exploit reliability is high and no special environmental conditions are required beyond local access; the race window between the MMU notifier path and the nested MMU array reallocation is the only timing factor.

Blast Radius

  • Reads arbitrary kernel memory, including host credentials, guest secrets, and stored session tokens.
  • Writes to freed or reallocated kernel memory, allowing corruption of hypervisor data structures and guest VM state.
  • Crashes the host kernel or a guest VM by corrupting the nested_mmus array, causing a denial of service for all workloads on the affected node.
  • Escalates privileges from a low-privilege local account to full kernel-level control due to the scope-changed (S:C) CVSS rating.

How HarborGuard Handles This

Available on HarborGuard: images containing an affected Linux kernel version are flagged immediately on CVE ingestion, which occurs within minutes of publication. For customers who opt into auto-remediation, HarborGuard rebuilds the image at a fixed kernel version (6.18.35, 7.0.12, or 7.1-rc7 as appropriate), runs a regression test against the rebuilt image, and opens a pull request targeting the affected workload repositories. For high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS detail and fix-version guidance so that the responsible team can act manually. Given the local privilege-escalation scope of this flaw, customers running KVM-based container or VM workloads on arm64 hosts should treat patching as high priority; as a compensating control before patching, restricting access to the KVM device node (/dev/kvm) to only authorized users reduces the attack surface.

See how HarborGuard automates this

Fix available

04424dbcb06d68e34e51c019a5781a7dc007319716.18.357.0.127.1-rc770543358fa08e0f7cebc3447c3b70fe97ad7aaa8918450ad6010df6ecd2efde12a1409e011da22d6
Affected packages
  • Linux / Linux
    < 918450ad6010df6ecd2efde12a1409e011da22d6 (from 4f128f8e1aaac189f83d0f828bcdb2986d8d2e51) · < 4424dbcb06d68e34e51c019a5781a7dc00731971 (from 4f128f8e1aaac189f83d0f828bcdb2986d8d2e51) · < 70543358fa08e0f7cebc3447c3b70fe97ad7aaa8 (from 4f128f8e1aaac189f83d0f828bcdb2986d8d2e51)
  • Linux / Linux
    6.11
    Fixed in 0, 6.18.35, 7.0.12, 7.1-rc7
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References