CVE-2026-46317 Overview
CVE-2026-46317 is a use-after-free vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem for arm64. The flaw resides in the nested virtualization MMU (Memory Management Unit) handling, specifically the kvm->arch.nested_mmus[] array. The array is walked under kvm->mmu_lock, including from the MMU notifier path via kvm_unmap_gfn_range() and kvm_nested_s2_unmap(). However, kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock. A concurrent walker can therefore reference freed memory.
Critical Impact
A local attacker with privileges to initialize nested virtualization on an arm64 KVM host can trigger a race that dereferences freed memory, leading to kernel memory corruption or denial of service.
Affected Products
- Linux kernel with KVM arm64 nested virtualization support
- arm64 hosts running guests with nested virtualization (NV) enabled
- Distributions shipping affected upstream kernels prior to the referenced stable commits
Discovery Timeline
- 2026-06-09 - CVE-2026-46317 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46317
Vulnerability Analysis
The vulnerability is a classic use-after-free caused by mismatched locking on a shared data structure. The nested_mmus array tracks per-VM nested stage-2 MMUs used when KVM emulates nested virtualization on arm64. Readers of this array—including the MMU notifier callback chain kvm_unmap_gfn_range() → kvm_nested_s2_unmap()—synchronize using kvm->mmu_lock. The writer in kvm_vcpu_init_nested() resized the array, freed the old buffer, and updated the pointer while holding only kvm->arch.config_lock. The two locks do not exclude each other, so a notifier walker can read a stale pointer or traverse a buffer that has been released to the allocator.
Root Cause
The root cause is inconsistent lock coverage on kvm->arch.nested_mmus[]. Allocation and kvfree() cannot run under mmu_lock because both can sleep, but the writer never acquired mmu_lock to publish the new pointer or to free the old one safely. This creates a window between freeing the buffer and any subsequent reader observing the swap.
Attack Vector
Exploitation requires local privileges to create KVM virtual machines with nested virtualization on an arm64 host. By racing repeated kvm_vcpu_init_nested() calls against memory operations that trigger MMU notifier unmap paths, an attacker can cause the kernel to walk a freed array. Depending on heap state, this can produce a denial of service via kernel panic or potentially be shaped into a memory corruption primitive.
No public proof-of-concept is referenced in the advisory. See the upstream commits for the precise code paths affected.
Fix Summary
The upstream fix allocates the new array outside mmu_lock (allocation can sleep). Under mmu_lock, the kernel copies existing entries, fixes up back pointers, and reassigns the array pointer. The old buffer is freed with kvfree() after dropping the lock, since kvfree() may also sleep. This serializes publication of the array against MMU notifier walkers.
Detection Methods for CVE-2026-46317
Indicators of Compromise
- Unexpected kernel oops or panic referencing kvm_nested_s2_unmap, kvm_unmap_gfn_range, or nested_mmus on arm64 KVM hosts
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free in the KVM arm64 nested MMU code paths
- Repeated crashes correlated with workloads that create or tear down nested virtual machines
Detection Strategies
- Inventory arm64 hosts running KVM with nested virtualization enabled and compare running kernel versions against the patched upstream commits 4424dbcb06d6, 70543358fa08, and 918450ad6010.
- Enable KASAN on test or canary kernels to surface latent use-after-free conditions during nested VM lifecycle operations.
- Review hypervisor host logs for BUG: or Oops: entries involving KVM arm64 symbols.
Monitoring Recommendations
- Collect kernel ring buffer (dmesg) and kdump artifacts from arm64 KVM hosts and forward to a central log store for analysis.
- Alert on unexpected reboots or kernel crashes on hypervisors hosting multi-tenant workloads.
- Track who can issue KVM_ARM_VCPU_INIT with nested feature flags, since exploitation requires that capability.
How to Mitigate CVE-2026-46317
Immediate Actions Required
- Apply the upstream stable kernel updates containing commits 4424dbcb06d6, 70543358fa08, and 918450ad6010 to all affected arm64 KVM hosts.
- Restrict creation of KVM guests with nested virtualization to trusted administrators on hosts that cannot be patched immediately.
- Reboot hypervisors after kernel package installation to load the fixed image.
Patch Information
The fix is available in the Linux stable tree. Refer to the upstream commits for the exact diff: kernel.org commit 4424dbcb06d6, kernel.org commit 70543358fa08, and kernel.org commit 918450ad6010. Distribution vendors will backport these patches into their supported kernel branches.
Workarounds
- Disable nested virtualization on arm64 KVM hosts where it is not required by unloading or reconfiguring the kvm_arm module without the nested parameter.
- Limit local access to the /dev/kvm device through filesystem permissions and cgroup policies until patched kernels are deployed.
- Migrate sensitive workloads to already-patched hosts to reduce exposure on unpatched hypervisors.
# Verify kernel version and KVM nested status on arm64
uname -r
cat /sys/module/kvm_arm/parameters/nested 2>/dev/null
# Temporarily disable nested KVM on arm64 (reboot required)
echo 'options kvm_arm nested=0' | sudo tee /etc/modprobe.d/kvm-arm.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
