Live Active security incident? Get immediate response
CVE Record

CVE-2026-46316: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.

CriticalCVSS 9.3Not KEV-listed Updated
Discuss exposure Back to CVEs
Glexia's Take critical

Analyst readout for executives and security teams

Plain-English summary

CVE-2026-46316 is a critical Linux kernel flaw in KVM on arm64 systems. A race condition in virtual interrupt translation-cache cleanup can drop the same reference more than once, potentially freeing an object still in use. This creates high-impact confidentiality, integrity, and availability risk on affected virtualization-capable Linux hosts.

Executive priority

Treat this as urgent for arm64 virtualization infrastructure, especially multi-tenant or untrusted-workload environments. Business risk is highest where kernel compromise or host instability would affect many workloads. Confirm vendor patch availability before emergency changes in production.

Technical view

The issue is in KVM arm64 vgic-its cache invalidation. Concurrent callers can observe the same xarray entry, erase it, and call vgic_put_irq() on the iterated pointer rather than only the xa_erase() return value. The fix drops the cache reference only for the entry actually removed, preventing duplicate reference drops during concurrent invalidation.

Likely exposure

Exposure is most relevant to arm64 Linux systems using KVM virtualization paths involving vgic-its. The source lists Linux as affected across specified versions and provides stable kernel commits. Distribution-specific affected package names and fixed builds are not provided in the source bundle.

Exploitation context

The CVSS vector is local, low complexity, no privileges required, and no user interaction. The source bundle does not show CISA KEV listing or other evidence of active exploitation. No public exploit status is established by the provided sources.

Researcher notes

The root cause is a concurrent invalidation race in vgic_its_invalidate_cache(). The important patch behavior is using xa_erase() atomically and releasing only the returned entry. Evidence is limited to the CVE record and upstream stable commits; no exploit narrative is provided.

Mitigation direction

  • Prioritize affected arm64 KVM-capable hosts for kernel review and remediation.
  • Apply a Linux stable kernel containing the referenced fix commits when available.
  • Check your Linux distribution or appliance vendor for fixed kernel packages.
  • If patching is delayed, reduce exposure of untrusted local workloads where practical.

Validation and detection

  • Inventory arm64 Linux hosts running KVM or virtualization workloads.
  • Compare running kernel versions against vendor advisories and fixed stable commits.
  • Verify whether the referenced fix commit is present in deployed kernel source or changelog.
  • Confirm remediation after reboot by checking the active kernel version.
Prepared
Confidence
medium
Sources
6

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2026-46316 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profile CVE Program record
Severity
Critical
CVSS
9.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1 CVSS vectors
3 Timeline events
0 ADP providers
5 Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

Score Version Severity Vector Exploit Impact Source
9.3 CVSS 3.1 Critical CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 2.5 6 Linux

Vulnerability scoring details

Base CVSS 3.1 score

9.3 Critical
CVSS 3.1 vector shape for CVE-2026-46316 Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reserved CVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE published CVE Program

    The CVE record was published.

  3. CVE updated CVE Program

    The CVE record metadata indicates this as the latest update time.

Source materials

Affected products

Products and packages named in the record

Vendor Product Version / package Status
Linux Linux 8201d1028caa4fae88e222c4e8cf541fdf45b821, 8201d1028caa4fae88e222c4e8cf541fdf45b821, 8201d1028caa4fae88e222c4e8cf541fdf45b821, 8201d1028caa4fae88e222c4e8cf541fdf45b821 unaffected
Linux Linux 6.10, 0, 6.12.93, 6.18.35, 7.0.12, 7.1 affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.