CVE-2026-46317

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Reassign nested mmus array behind mmu lock

kvm->arch.nested mmus[] is walked under kvm->mmu lock, including from the MMU notifier path (kvm unmap gfn range() -> kvm nested s2 unmap()), which can run at any time. kvm vcpu init nested() reallocates the array and frees the old buffer while holding only kvm->arch.config lock, so such a walker can reference the freed array.

Allocate the new array outside of mmu lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.