CVE-2026-46316 - Vulnerability Details

- KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry

vgic_its_invalidate_cache() walks the per-ITS translation cache with
xa_for_each() and drops the cache's reference on each entry with
vgic_put_irq(). It puts the iterated pointer, though, rather than the
value returned by xa_erase().

The function is called from contexts that do not exclude one another: the
ITS command handlers hold its_lock, the GITS_CTLR write path holds
cmd_lock, and the path that clears EnableLPIs in a redistributor's
GICR_CTLR holds neither. Two or more of them can drain the same cache
concurrently, and if each one observes the same entry, erases it and then
puts it, the single reference the cache holds on that entry is dropped
more than once. The entry can then be freed while an ITE still maps it.

xa_erase() is atomic and returns the previous entry, so put only the entry
that this context actually removed. The cache reference is then dropped
exactly once per entry even when the invalidations run concurrently, and
the behavior is unchanged when only one context runs.

Published: 2026-06-09

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The bug centers on the handling of the virtual generic interrupt controller (VGIC) per-ITS translation cache in the Linux kernel’s KVM arm64 implementation. During cache invalidation, the code drops a reference to an entry but mistakenly uses the pointer returned by the iterator rather than the actual erased value. When multiple concurrent contexts perform invalidation, the same cache entry can be erased and subsequently dropped more than once, allowing the entry to be freed while other components still refer to it. This double‑free scenario can lead to a kernel use‑after‑free condition, providing an attacker the opportunity to execute arbitrary code at elevated privilege or to crash the kernel, resulting in a denial of service. The vulnerability can be exploited via any path that triggers concurrent ITS invalidations, notably from ITS command handlers, GITS_CTLR write operations, or redistributor’s GICR_CTLR paths.

Affected Systems

The flaw resides in the Linux kernel, affecting all distributions that ship the unpatched arm64 KVM VGIC ITS code. The available CPE identifier indicates the kernel as the affected component, but no specific version range is provided in the CNA data. Users should verify whether their kernel includes the commit that fixes the reference‑dropping logic.

Risk and Exploitability

Because the bug concerns kernel memory management and can be triggered by concurrent paths that may be invoked by privileged users or potentially by user applications that interact with KVM, the exploitability is significant for systems that permit such operations. The CVSS score of 7.0 indicates a high severity, consistent with similar use‑after‑free or double‑free vulnerabilities. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the presence of an identified kernel race condition warrants immediate attention from administrators who run KVM on arm64 platforms.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8201d1028caa4fae88e222c4e8cf541fdf45b821`	affected	< b7b72e88046328c9fdc638fe887d4240257dd5dc
`8201d1028caa4fae88e222c4e8cf541fdf45b821`	affected	< 2bbc395e81bd29c543a0529a678327e932a7ec69
`8201d1028caa4fae88e222c4e8cf541fdf45b821`	affected	< 9121f4605ab94969f62d1b5714ca3c6c69bd202f
`8201d1028caa4fae88e222c4e8cf541fdf45b821`	affected	< 13031fb6b8357fbbcded2a7f4cba73e4781ee594

Linux

affected

Version	Status	Constraints
`6.10`	affected	—
`0`	unaffected	< 6.10
`6.12.93`	unaffected	≤ 6.12.*
`6.18.35`	unaffected	≤ 6.18.*
`7.0.12`	unaffected	≤ 7.0.*
`7.1-rc7`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8201d1028caa4fae88e222c4e8cf541fdf45b821,b7b72e88046328c9fdc638fe887d4240257dd5dc)`	affected	code_commit	—
`[8201d1028caa4fae88e222c4e8cf541fdf45b821,2bbc395e81bd29c543a0529a678327e932a7ec69)`	affected	code_commit	—
`[8201d1028caa4fae88e222c4e8cf541fdf45b821,9121f4605ab94969f62d1b5714ca3c6c69bd202f)`	affected	code_commit	—
`[8201d1028caa4fae88e222c4e8cf541fdf45b821,13031fb6b8357fbbcded2a7f4cba73e4781ee594)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.10`	affected	generic	—
`[0,6.10)`	unaffected	semver	—
`[6.12.93,6.13.0)`	unaffected	semver	—
`[6.18.35,6.19.0)`	unaffected	semver	—
`[7.0.12,7.1.0)`	unaffected	semver	—
`[7.1-rc7,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the patch correcting the VGIC ITS cache reference handling; the referenced Git commits provide the fix
Reboot the system to load the updated kernel and ensure the fix is active
Monitor system logs for any VGIC-related kernel messages that could indicate misbehavior and adjust KVM configuration if necessary

Generated by OpenCVE AI on June 10, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/13031fb6b8357fbbcded2a7f4cba73e4781ee594
https://git.kernel.org/stable/c/2bbc395e81bd29c543a0529a678327e932a7ec69
https://git.kernel.org/stable/c/9121f4605ab94969f62d1b5714ca3c6c69bd202f
https://git.kernel.org/stable/c/b7b72e88046328c9fdc638fe887d4240257dd5dc
https://lore.kernel.org/linux-cve-announce/2026060936-CVE-2026-46316-f761@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46316
https://www.cve.org/CVERecord?id=CVE-2026-46316

History

Wed, 10 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-416

Wed, 10 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026060936-CVE-2026-46316-f761@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46316 https://www.cve.org/CVERecord?id=CVE-2026-46316
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Tue, 09 Jun 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Tue, 09 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.
Title		KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/13031fb6b8357fbbcded2a7f4cba73e4781ee594 https://git.kernel.org/stable/c/2bbc395e81bd29c543a0529a678327e932a7ec69 https://git.kernel.org/stable/c/9121f4605ab94969f62d1b5714ca3c6c69bd202f https://git.kernel.org/stable/c/b7b72e88046328c9fdc638fe887d4240257dd5dc

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-09T11:52:29.349Z

Updated: 2026-06-09T11:52:29.349Z

Reserved: 2026-05-13T15:03:33.112Z

Link: CVE-2026-46316

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-09T13:16:36.887

Modified: 2026-06-09T13:16:36.887

Link: CVE-2026-46316

Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46316 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T03:30:16Z

Weaknesses

CWE-911

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object