CVE-2026-46147 - Vulnerability Details

- KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()

Two bugs exist in the vCPU initialisation path:

1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup
path jumps to 'unlock' without calling unpin_host_vcpu() or
unpin_host_sve_state(), permanently leaking pin references on the
host vCPU and SVE state pages.

Extract a register_hyp_vcpu() helper that performs the checks and
the store. When register_hyp_vcpu() returns an error, call
unpin_host_vcpu() and unpin_host_sve_state() inline before falling
through to the existing 'unlock' label.

2. register_hyp_vcpu() publishes the new vCPU pointer into
'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller
of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU
object.

Ensure the store uses smp_store_release() and the load uses
smp_load_acquire(). While 'vm_table_lock' currently serialises the
store and the load, these barriers ensure the reader sees the fully
initialised 'hyp_vcpu' object even if there were a lockless path or
if the lock's own ordering guarantees were insufficient for nested
object initialization.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux KVM arm64 implementation. When an error occurs after hyp_pin_shared_mem() succeeds, the cleanup logic skips unpinning host VCPU and SVE state references, permanently leaking pin counts on the host. Additionally, the newly created vCPU pointer is published with a plain store, allowing concurrent readers to observe a partially initialized object. These defects can lead to resource exhaustion and unreliable kernel state, potentially resulting in service disruption for the host system.

Affected Systems

All Linux distributions running a kernel that includes the KVM arm64 code path are affected, as the flaw pertains to the generic Linux kernel module. Users must verify whether the patch that fixes the pin leak and ordering has been applied in their specific kernel release.

Risk and Exploitability

The EPSS score is less than 1%, indicating a very low but non‑zero probability of exploitation, and the vulnerability is not listed in CISA KEV. The CVSS score of 5.5 classifies it as medium severity. Exploitation likely requires a malicious guest VM to trigger the error path; the bug introduces a data‑race that could degrade system reliability. The overall risk is moderate to high for environments with unmanaged or untrusted virtual machines, and the impact could manifest as denial of service or resource depletion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7d3c27b54253cda91dc4d2c1bfc109c490837ab9
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 6d69c0ed978f7f0efd053fc98390f25ab77c1aea
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 73b9c1e5da84cd69b1a86e374e450817cd051371
`0`	affected	< 6.18.30
`0`	affected	< 7.0.7

Linux

affected

Version	Status	Constraints
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc1::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7d3c27b54253cda91dc4d2c1bfc109c490837ab9)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6d69c0ed978f7f0efd053fc98390f25ab77c1aea)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,73b9c1e5da84cd69b1a86e374e450817cd051371)`	affected	code_commit	—
`[0,6.18.30)`	affected	semver	—
`[0,7.0.7)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0,6.19.0)`	unaffected	semver	—
`[0,7.1.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates the patches that address the pin leak, improper store ordering, and missing cleanup, thereby mitigating the memory leak (CWE-401) and synchronization issues (CWE-772).
If a kernel update is not currently available, manually apply the corresponding patches from the upstream kernel source and rebuild the kernel before redeploying the KVM host, ensuring that the changes related to pinning and synchronization are correctly applied.
Monitor the pin counts for host VCPUs and SVE state pages to detect any abnormal growth, which could indicate a memory leak. If such signs appear, restart the host or apply the fixed kernel to prevent resource exhaustion.

Generated by OpenCVE AI on June 10, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00126.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/6d69c0ed978f7f0efd053fc98390f25ab77c1aea
https://git.kernel.org/stable/c/73b9c1e5da84cd69b1a86e374e450817cd051371
https://git.kernel.org/stable/c/7d3c27b54253cda91dc4d2c1bfc109c490837ab9
https://lore.kernel.org/linux-cve-announce/2026052821-CVE-2026-46147-9b7f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46147
https://www.cve.org/CVERecord?id=CVE-2026-46147

History

Wed, 10 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:7.1:rc1::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 29 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-363 CWE-401

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026052821-CVE-2026-46147-9b7f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46147 https://www.cve.org/CVERecord?id=CVE-2026-46147

Thu, 28 May 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-363 CWE-401

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() Two bugs exist in the vCPU initialisation path: 1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup path jumps to 'unlock' without calling unpin_host_vcpu() or unpin_host_sve_state(), permanently leaking pin references on the host vCPU and SVE state pages. Extract a register_hyp_vcpu() helper that performs the checks and the store. When register_hyp_vcpu() returns an error, call unpin_host_vcpu() and unpin_host_sve_state() inline before falling through to the existing 'unlock' label. 2. register_hyp_vcpu() publishes the new vCPU pointer into 'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU object. Ensure the store uses smp_store_release() and the load uses smp_load_acquire(). While 'vm_table_lock' currently serialises the store and the load, these barriers ensure the reader sees the fully initialised 'hyp_vcpu' object even if there were a lockless path or if the lock's own ordering guarantees were insufficient for nested object initialization.
Title		KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6d69c0ed978f7f0efd053fc98390f25ab77c1aea https://git.kernel.org/stable/c/73b9c1e5da84cd69b1a86e374e450817cd051371 https://git.kernel.org/stable/c/7d3c27b54253cda91dc4d2c1bfc109c490837ab9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:36:03.892Z

Updated: 2026-06-14T17:58:03.230Z

Reserved: 2026-05-13T15:03:33.101Z

Link: CVE-2026-46147

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:30.320

Modified: 2026-06-10T21:18:05.347

Link: CVE-2026-46147

Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46147 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses

CWE-401
Missing Release of Memory after Effective Lifetime
CWE-772
Missing Release of Resource after Effective Lifetime

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object