CVE-2026-46316

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition in the in-kernel KVM vGIC-ITS (Interrupt Translation Service) emulation on arm64 architectures allows a guest-to-host escape. The issue exists in the vgic its invalidate cache() function, which incorrectly drops the translation cache reference using vgic put irq() on the iterated pointer instead of the value returned by xa erase(). Because this function is called from multiple concurrent contexts—including ITS command handlers holding its lock, the GITS CTLR write path holding cmd lock, and the GICR CTLR path which holds no lock—multiple contexts can erase and put the same entry simultaneously. This leads to a double free and a use-after-free scenario where an entry is freed while an ITE still maps it. An attacker at EL1 can trigger this by issuing a sequence of GIC ITS register writes, potentially allowing arbitrary code execution with root privileges directly in the host kernel, bypassing the isolation between tenants in multi-tenant cloud environments.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.