Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3156 articles · 172095 vulns · 36/41 feeds (7d)
← Back to list
9.3
CVE-2026-46316EXPLOITEDPATCHED
linux · linux kernel

KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.

Affected Products

VendorProductVersions
linuxlinux kernel8201d1028caa4fae88e222c4e8cf541fdf45b821, 8201d1028caa4fae88e222c4e8cf541fdf45b821, 8201d1028caa4fae88e222c4e8cf541fdf45b821, 8201d1028caa4fae88e222c4e8cf541fdf45b821, 6.10

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
open sourceopen source linux kernelcert_advisory90%

References

  • https://git.kernel.org/stable/c/b7b72e88046328c9fdc638fe887d4240257dd5dc
  • https://git.kernel.org/stable/c/2bbc395e81bd29c543a0529a678327e932a7ec69
  • https://git.kernel.org/stable/c/9121f4605ab94969f62d1b5714ca3c6c69bd202f
  • https://git.kernel.org/stable/c/13031fb6b8357fbbcded2a7f4cba73e4781ee594

Related News (7 articles)

Tier D
CSO Online3h ago
16-year-old KVM flaw allows attackers to escape VMs and take over Linux servers
→ No new info (linked only)
Tier E
Hacker News25d ago
ITScape (CVE-2026-46316): KVM/ARM64 VM escape
→ No new info (linked only)
Tier E
Lobsters Security27d ago
ITScape: Guest-to-Host Escape in KVM/arm64
→ No new info (linked only)
Tier C
oss-security27d ago
ITScape: Guest-to-Host Escape in KVM/arm64 (CVE-2026-46316)
→ No new info (linked only)
Tier B
BSI Advisories27d ago
[NEU] [hoch] Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
→ No new info (linked only)
Tier C
VulDB28d ago
CVE-2026-46316 | Linux Kernel up to 6.12.92/6.18.34/7.0.11/7.1-rc6 KVM vgic_its_invalidate_cache locking
→ No new info (linked only)
Tier C
Linux Kernel CVEs28d ago
CVE-2026-46316: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
→ No new info (linked only)
CVSS 3.19.3 CRITICAL
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
b7b72e88046328c9fdc638fe887d4240257dd5dc2bbc395e81bd29c543a0529a678327e932a7ec699121f4605ab94969f62d1b5714ca3c6c69bd202f13031fb6b8357fbbcded2a7f4cba73e4781ee59406.12.936.18.357.0.127.1-rc7
CWECWE-416
PublishedJun 9, 2026
Last enriched3h agov4
Tags
KVMLinux KernelJanuscapeVM Escape
Trending Score78
Source articles7
Independent7
Info Completeness10/14
Missing: epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-43284EXPKEV
xfrm: esp: avoid in-place decrypt on shared skb frags
Trending: 141
HIGHCVE-2026-43500EXPKEV
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Trending: 133
HIGHCVE-2026-53359EXP
KVM: x86: Fix shadow paging use-after-free due to unexpected role
Trending: 80
HIGHCVE-2026-46242EXP
eventpoll: fix ep_remove struct eventpoll / struct file UAF
Trending: 59
CRITICALCVE-2026-53360EXP
KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
Trending: 53

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 9, 2026
Discovered by ZDM
Jun 9, 2026
Updated: description, affectedVersions, severity, cweIds, tags
Jun 9, 2026
Updated: description, exploitAvailable, activelyExploited
Jun 10, 2026
Actively Exploited
Jul 7, 2026
Exploit Available
Jul 7, 2026
Patch Available
Jul 7, 2026
Updated: cweIds, tags
Jul 7, 2026

Version History

v4
Last enriched 3h ago
v4Tier D3h ago

Updated description with significant technical details, added CWE-416, and included new tags related to the vulnerability.

cweIdstags
via CSO Online
v3Tier C27d ago

Updated description with details about the guest-to-host escape vulnerability and marked exploit as available and actively exploited.

descriptionexploitAvailableactivelyExploited
via oss-security
v2Tier C28d ago

Updated description with new details, changed severity to CRITICAL, and added affected versions and new CWE.

descriptionaffectedVersionsseveritycweIdstags
via VulDB
v128d ago

Initial creation