CVE-2026-46317 - Vulnerability Details

- KVM: arm64: Reassign nested_mmus array behind mmu_lock

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Reassign nested_mmus array behind mmu_lock

kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the
MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which
can run at any time. kvm_vcpu_init_nested() reallocates the array and frees
the old buffer while holding only kvm->arch.config_lock, so such a walker
can reference the freed array.

Allocate the new array outside of mmu_lock, as the allocation can sleep.
Under the lock, copy the existing entries, fix up the back pointers and
reassign the array. Free the old buffer after dropping the lock, as
kvfree() can sleep as well.

Published: 2026-06-09

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from a race condition in the ARM64 KVM implementation of the Linux kernel. When a guest VM is active, the kernel walks the nested_mmus array under kvm->mmu_lock while the array may be reallocated under kvm->arch.config_lock. Because the reallocation frees the old buffer outside of mmu_lock, a concurrent walker may reference freed memory, yielding a use‑after‑free that can corrupt critical data structures. This flaw can lead to arbitrary code execution from kernel space or a forced kernel crash, impacting availability and potentially confidentiality and integrity at the host level.

Affected Systems

The flaw is present in all Linux kernels running on ARM64 that enable KVM, regardless of distribution. Any system that loads the affected kernel and provides nested paging to guests is affected.

Risk and Exploitability

The CVSS score of 7.0 indicates medium‑to‑high severity. With no publicly known exploit and EPSS unavailable, the real‑world exploit probability is uncertain, but the attack surface is limited to guests that can trigger the race. If a malicious guest can execute code inside the KVM context, it may be able to trigger the reallocation timing to gain arbitrary code execution or crash the host. The flaw is not listed in CISA KEV, but due to its kernel‑level nature, system administrators should treat it as high risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4f128f8e1aaac189f83d0f828bcdb2986d8d2e51`	affected	< 918450ad6010df6ecd2efde12a1409e011da22d6
`4f128f8e1aaac189f83d0f828bcdb2986d8d2e51`	affected	< 4424dbcb06d68e34e51c019a5781a7dc00731971
`4f128f8e1aaac189f83d0f828bcdb2986d8d2e51`	affected	< 70543358fa08e0f7cebc3447c3b70fe97ad7aaa8

Linux

affected

Version	Status	Constraints
`6.11`	affected	—
`0`	unaffected	< 6.11
`6.18.35`	unaffected	≤ 6.18.*
`7.0.12`	unaffected	≤ 7.0.*
`7.1-rc7`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4f128f8e1aaac189f83d0f828bcdb2986d8d2e51,918450ad6010df6ecd2efde12a1409e011da22d6)`	affected	code_commit	—
`[4f128f8e1aaac189f83d0f828bcdb2986d8d2e51,4424dbcb06d68e34e51c019a5781a7dc00731971)`	affected	code_commit	—
`[4f128f8e1aaac189f83d0f828bcdb2986d8d2e51,70543358fa08e0f7cebc3447c3b70fe97ad7aaa8)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.11`	affected	semver	—
`[0,6.11)`	unaffected	semver	—
`[6.18.35,6.19.0)`	unaffected	semver	—
`[7.0.12,7.1.0)`	unaffected	semver	—
`[7.1-rc7,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that fixes the nested_mmus reallocation, e.g., install the latest stable kernel or apply the referenced commits.
If patching cannot be performed immediately, disable KVM nested paging for untrusted guests by setting CONFIG_KVM_ARM64_NESTED=n or starting VMs with the –n option to prevent the mmu_lock race.
Restrict guest exposure by running only trusted VMs and enforcing strict privilege isolation or MAC policies to limit the amount of code the guest can execute.

Generated by OpenCVE AI on June 10, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4424dbcb06d68e34e51c019a5781a7dc00731971
https://git.kernel.org/stable/c/70543358fa08e0f7cebc3447c3b70fe97ad7aaa8
https://git.kernel.org/stable/c/918450ad6010df6ecd2efde12a1409e011da22d6
https://lore.kernel.org/linux-cve-announce/2026060938-CVE-2026-46317-e13c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46317
https://www.cve.org/CVERecord?id=CVE-2026-46317

History

Wed, 10 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-416

Wed, 10 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026060938-CVE-2026-46317-e13c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46317 https://www.cve.org/CVERecord?id=CVE-2026-46317
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Tue, 09 Jun 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Tue, 09 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Reassign nested_mmus array behind mmu_lock kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array. Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.
Title		KVM: arm64: Reassign nested_mmus array behind mmu_lock
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4424dbcb06d68e34e51c019a5781a7dc00731971 https://git.kernel.org/stable/c/70543358fa08e0f7cebc3447c3b70fe97ad7aaa8 https://git.kernel.org/stable/c/918450ad6010df6ecd2efde12a1409e011da22d6

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-09T11:52:30.333Z

Updated: 2026-06-09T11:52:30.333Z

Reserved: 2026-05-13T15:03:33.112Z

Link: CVE-2026-46317

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-09T13:16:37.000

Modified: 2026-06-09T13:16:37.000

Link: CVE-2026-46317

Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46317 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T03:30:16Z

Weaknesses

CWE-825

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object