CVE-2026-46147 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()

Two bugs exist in the vCPU initialisation path:

1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup
path jumps to 'unlock' without calling unpin_host_vcpu() or
unpin_host_sve_state(), permanently leaking pin references on the
host vCPU and SVE state pages.

Extract a register_hyp_vcpu() helper that performs the checks and
the store. When register_hyp_vcpu() returns an error, call
unpin_host_vcpu() and unpin_host_sve_state() inline before falling
through to the existing 'unlock' label.

2. register_hyp_vcpu() publishes the new vCPU pointer into
'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller
of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU
object.

Ensure the store uses smp_store_release() and the load uses
smp_load_acquire(). While 'vm_table_lock' currently serialises the
store and the load, these barriers ensure the reader sees the fully
initialised 'hyp_vcpu' object even if there were a lockless path or
if the lock's own ordering guarantees were insufficient for nested
object initialization.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux KVM arm64 implementation. When an error occurs after hyp_pin_shared_mem() succeeds, the cleanup logic skips unpinning host vCPU and SVE state references, permanently leaking pin counts on the host. Additionally, the newly created vCPU pointer is published with a plain store, allowing concurrent readers to observe a partially initialized object. These defects can lead to resource exhaustion and unreliable kernel state, potentially resulting in service disruption for the host system.

Affected Systems

All Linux distributions running a kernel that includes the KVM arm64 code path are affected, as the flaw pertains to the generic Linux kernel kernel module. Users must verify whether the patch that fixes the pin leak and ordering has been applied in their specific kernel release.

Risk and Exploitability

The CVSS score is not provided and EPSS is unavailable, but the issue is listed as not being in CISA KEV. Exploitation likely requires a malicious guest VM to trigger the error path, and the bug introduces a data‑race that could degrade system reliability. The overall risk is moderate to high for environments with unmanaged or untrusted virtual machines, and the impact could manifest as denial of service or resource depletion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7d3c27b54253cda91dc4d2c1bfc109c490837ab9
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 6d69c0ed978f7f0efd053fc98390f25ab77c1aea
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 73b9c1e5da84cd69b1a86e374e450817cd051371
`0`	affected	< 6.18.30
`0`	affected	< 7.0.7

Linux

affected

Version	Status	Constraints
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc2`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7d3c27b54253cda91dc4d2c1bfc109c490837ab9)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6d69c0ed978f7f0efd053fc98390f25ab77c1aea)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,73b9c1e5da84cd69b1a86e374e450817cd051371)`	affected	code_commit	—
`[0,6.18.30)`	affected	semver	—
`[0,7.0.7)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0,6.19.0)`	unaffected	semver	—
`[0,7.1.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates the patches at commits 6d69c0ed978f7f0efd053fc98390f25ab77c1aea, 73b9c1e5da84cd69b1a86e374e450817cd051371, and 7d3c27b54253cda91dc4d2c1bfc109c490837ab9; these changes fix the improper cleanup and synchronization issues.
If a kernel update is not currently available, manually apply the corresponding patches from the upstream kernel source and rebuild the kernel before redeploying the KVM host.
Verify that the pin counts for host VCPUs and SVE state pages do not increase unboundedly; if abnormal growth is observed, restart the host or immediately apply the fixed kernel.
Ensure that guest VMs are restricted to a safe number of VCPUs and that no privileged VM can trigger the error path repeatedly, mitigating the risk of resource exhaustion.

Generated by OpenCVE AI on May 28, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/6d69c0ed978f7f0efd053fc98390f25ab77c1aea
https://git.kernel.org/stable/c/73b9c1e5da84cd69b1a86e374e450817cd051371
https://git.kernel.org/stable/c/7d3c27b54253cda91dc4d2c1bfc109c490837ab9

History

Thu, 28 May 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-363 CWE-401

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() Two bugs exist in the vCPU initialisation path: 1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup path jumps to 'unlock' without calling unpin_host_vcpu() or unpin_host_sve_state(), permanently leaking pin references on the host vCPU and SVE state pages. Extract a register_hyp_vcpu() helper that performs the checks and the store. When register_hyp_vcpu() returns an error, call unpin_host_vcpu() and unpin_host_sve_state() inline before falling through to the existing 'unlock' label. 2. register_hyp_vcpu() publishes the new vCPU pointer into 'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU object. Ensure the store uses smp_store_release() and the load uses smp_load_acquire(). While 'vm_table_lock' currently serialises the store and the load, these barriers ensure the reader sees the fully initialised 'hyp_vcpu' object even if there were a lockless path or if the lock's own ordering guarantees were insufficient for nested object initialization.
Title		KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6d69c0ed978f7f0efd053fc98390f25ab77c1aea https://git.kernel.org/stable/c/73b9c1e5da84cd69b1a86e374e450817cd051371 https://git.kernel.org/stable/c/7d3c27b54253cda91dc4d2c1bfc109c490837ab9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:36:03.892Z

Updated: 2026-05-28T09:36:03.892Z

Reserved: 2026-05-13T15:03:33.101Z

Link: CVE-2026-46147

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:30.320

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46147

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T13:00:19Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object