Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Reassign nested_mmus array behind mmu_lock

kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the
MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which
can run at any time. kvm_vcpu_init_nested() reallocates the array and frees
the old buffer while holding only kvm->arch.config_lock, so such a walker
can reference the freed array.

Allocate the new array outside of mmu_lock, as the allocation can sleep.
Under the lock, copy the existing entries, fix up the back pointers and
reassign the array. Free the old buffer after dropping the lock, as
kvfree() can sleep as well.
Published: 2026-06-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a race condition in the ARM64 KVM implementation of the Linux kernel. When the nested_mmus array is reallocated under kvm->arch.config_lock, the array is freed before the mmu_lock is released. Simultaneously, other code paths may walk the same array while holding kvm->mmu_lock. If this occurs, the walker can read freed memory, causing a use‑after‑free that can corrupt critical kernel data structures. The resulting corruption can trigger a kernel crash or potentially allow an attacker to gain code execution from kernel space.

Affected Systems

All Linux kernels running on ARM64 that have KVM enabled are affected. This includes every distribution that ships a recent Linux kernel with nested paging support for KVM on ARM64. Any system that loads one of these kernels and creates a virtual machine with nested paging enabled is vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of < 1 % suggests a very low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The description implies that a malicious guest could potentially trigger the race by executing code inside the guest and racing the reallocation timing. While the exact exploit is not publicly documented, the inferred attack vector is a guest‑initiated race condition that could lead to a host crash or privilege escalation. This makes the risk significant for environments that run untrusted virtual machines.

Generated by OpenCVE AI on June 14, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that addresses the CWE‑825 use‑after‑free bug (commit 4424dbcb06d68e34e51c019a5781a7dc00731971).
  • If a kernel upgrade cannot be performed immediately, disable nested paging for KVM on ARM64 by setting CONFIG_KVM_ARM64_NESTED=0 in the kernel configuration or launch VMs without nested paging support using the –no‑nested flag.
  • Enforce stricter isolation for untrusted guests, ensuring they do not have elevated privileges that could trigger the race condition, for example by applying SELinux or AppArmor profiles that restrict KVM control access and hardening the hypervisor environment.

Generated by OpenCVE AI on June 14, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 10 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Tue, 09 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Reassign nested_mmus array behind mmu_lock kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array. Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.
Title KVM: arm64: Reassign nested_mmus array behind mmu_lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:08:48.063Z

Reserved: 2026-05-13T15:03:33.112Z

Link: CVE-2026-46317

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T13:16:37.000

Modified: 2026-06-14T06:16:24.313

Link: CVE-2026-46317

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46317 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T07:30:10Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference