CVE-2026-46316 Overview
CVE-2026-46316 is a Linux kernel vulnerability in the KVM (Kernel-based Virtual Machine) subsystem on arm64 platforms. The flaw resides in the vgic_its_invalidate_cache() function, which manages the per-ITS (Interrupt Translation Service) translation cache used by the virtual Generic Interrupt Controller (vGIC). The function incorrectly drops a reference on the iterated pointer rather than the value returned by xa_erase(). Concurrent invalidations across non-mutually-exclusive code paths can drop the same cache reference multiple times, leading to a use-after-free condition where an Interrupt Translation Entry (ITE) still maps freed memory.
Critical Impact
Concurrent cache invalidations in KVM arm64 vGIC ITS handling can free an interrupt entry while it is still mapped, producing a use-after-free condition exploitable from a guest VM context.
Affected Products
- Linux kernel (KVM arm64 subsystem, vgic-its component)
- Distributions shipping affected upstream kernel versions on arm64 hardware
- Stable kernel branches receiving the referenced commit backports
Discovery Timeline
- 2026-06-09 - CVE-2026-46316 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46316
Vulnerability Analysis
The defect is a Use-After-Free condition rooted in incorrect reference counting during concurrent XArray traversal. The vgic_its_invalidate_cache() function walks the per-ITS translation cache using xa_for_each() and calls vgic_put_irq() on each iterated entry. The function invokes vgic_put_irq() on the pointer obtained during iteration rather than on the pointer returned by xa_erase(), which is the atomic removal operation.
Three distinct call sites can invoke this invalidation path without mutual exclusion. ITS command handlers acquire its_lock. The GITS_CTLR write path holds cmd_lock. The redistributor path that clears EnableLPIs in GICR_CTLR holds neither lock. When two or more contexts execute concurrently and observe the same cache entry, each context erases the entry and then drops a reference on it. The cache holds only a single reference per entry, so this extra vgic_put_irq() call decrements the refcount below zero and frees the underlying IRQ descriptor while an Interrupt Translation Entry still references it.
Root Cause
The root cause is an atomicity mismatch between xa_erase() semantics and the surrounding iteration logic. xa_erase() is atomic and returns the previous entry value, indicating whether the calling context actually performed the removal. The original code ignored this return value and unconditionally released the reference held by the iterator. The fix replaces the iterator-based vgic_put_irq() with one that consumes the return value of xa_erase(), ensuring exactly one release per actual removal.
Attack Vector
Exploitation requires a local attacker with the ability to execute code inside a KVM guest on an arm64 host, or with privileges to manipulate vGIC ITS state on the host. A malicious guest can trigger concurrent invalidations by issuing ITS commands while a sibling vCPU modifies GITS_CTLR or toggles EnableLPIs in a redistributor's GICR_CTLR. Successful exploitation produces a use-after-free in kernel memory, which can be leveraged for privilege escalation or host denial of service. No verified public proof-of-concept exists at the time of publication. The vulnerability mechanism is described in the upstream commit references; consult the Kernel Git Commit 2bbc395e for the authoritative patch description.
Detection Methods for CVE-2026-46316
Indicators of Compromise
- Kernel oops or panic logs referencing vgic_its_invalidate_cache, vgic_put_irq, or KVM ITS code paths on arm64 hosts.
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free in vGIC ITS structures during guest LPI (Locality-specific Peripheral Interrupt) operations.
- Unexpected guest VM crashes or host instability correlated with ITS command submission from guests.
Detection Strategies
- Audit running kernel versions on arm64 KVM hosts against the fixed commits referenced in the upstream advisory.
- Enable KASAN and lockdep on test kernels to surface concurrent reference-count violations in vGIC code paths.
- Correlate dmesg warnings about IRQ refcount underflow with guest workloads that issue heavy ITS command traffic.
Monitoring Recommendations
- Monitor host kernel logs for KVM and vgic-related warnings, oops messages, and refcount imbalance traces.
- Track guest vCPU activity that combines ITS command writes with concurrent GICR_CTLR modifications.
- Alert on unexpected host reboots or guest VM termination events on arm64 virtualization hosts.
How to Mitigate CVE-2026-46316
Immediate Actions Required
- Identify all arm64 hosts running KVM with guests using LPIs and the ITS, and inventory their kernel versions.
- Apply distribution kernel updates that incorporate the upstream fix commits as soon as they are available.
- Restrict guest VM creation and ITS-capable device passthrough to trusted tenants until patches are deployed.
Patch Information
The upstream fix replaces the iterator-based reference release with one that consumes the value returned by xa_erase(). The relevant stable kernel commits are Kernel Git Commit 13031fb6, Kernel Git Commit 2bbc395e, Kernel Git Commit 9121f460, and Kernel Git Commit b7b72e88. Apply the kernel update from your distribution that includes these commits and reboot affected hosts.
Workarounds
- Avoid running untrusted guests on arm64 KVM hosts until the patched kernel is deployed.
- Where feasible, disable ITS usage in guest configurations or fall back to non-ITS interrupt configurations.
- Limit the number of vCPUs per guest to reduce the window for concurrent invalidation races, accepting the performance trade-off.
# Verify the running kernel version on an arm64 KVM host
uname -r
# Check whether the host is arm64 and KVM is loaded
arch
lsmod | grep kvm
# Confirm the installed kernel package includes the fix (Debian/Ubuntu example)
apt-cache policy linux-image-$(uname -r)
# Confirm the installed kernel package includes the fix (RHEL/Fedora example)
rpm -q --changelog kernel | grep -i "vgic-its\|46316"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
