HIGH 8.8

CVE-2026-46317: Linux Kernel ARM64 KVM Use-After-Free in Nested Virtualization

A race condition in the Linux kernel's KVM (virtualization) subsystem on ARM64 systems allows a local, unprivileged user to cause a use-after-free memory error. The vulnerability exists in how the kernel manages nested virtual machine memory structures during reallocation. When the kernel reallocates its internal data structure for nested virtual machines, it frees the old memory while another part of the kernel may still be trying to access it, leading to a crash or potential privilege escalation. This requires local access and affects systems running vulnerable kernel versions with KVM nested virtualization enabled.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
Affected products
7 configuration(s)
Published / Modified
2026-06-09 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Reassign nested_mmus array behind mmu_lock kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array. Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46317 is a use-after-free vulnerability in the Linux kernel's KVM nested virtualization implementation for ARM64 platforms. The root cause is a synchronization gap: the kvm->arch.nested_mmus[] array is accessed under kvm->mmu_lock (including from the MMU notifier path kvm_unmap_gfn_range() → kvm_nested_s2_unmap()), but reallocation in kvm_vcpu_init_nested() freed the old buffer while holding only kvm->arch.config_lock. This creates a window where walkers of the array can dereference freed memory. The fix involves allocating the new array outside the lock (since allocation can sleep), copying entries and updating back pointers under mmu_lock, and deferring kvfree() of the old buffer until after the lock is released.

Business impact

An attacker with local system access can trigger a kernel panic or memory corruption on virtualization-enabled ARM64 Linux systems. In production environments running KVM with nested virtualization, this could result in denial of service to hosted virtual machines or, in worst-case scenarios, potential privilege escalation to ring-0 kernel context. Organizations using ARM64 servers for cloud computing or virtualized workloads face availability and confidentiality risks. The impact is heightened in multi-tenant environments where one tenant could disrupt others.

Affected systems

Linux kernel systems on ARM64 architecture with KVM nested virtualization enabled. This typically affects cloud providers, data centers, and systems running Kubernetes or OpenStack on ARM64 hardware. Consumer and enterprise systems using ARM64 Linux (including some Raspberry Pi clusters, Graviton-based AWS instances, and Ampere systems) are vulnerable if they expose nested virtualization capabilities to untrusted users or run untrusted workloads.

Exploitability

Exploitability is moderate to high within its scope. An attacker requires local user-level access to the system (PR:L in CVSS), meaning they must already have a non-root account or ability to execute code as a regular user. No special privileges are needed; the vulnerability is triggered through normal KVM operations (e.g., launching nested VMs). Exploitation does not require user interaction and is deterministic—repeatedly creating and destroying nested VMs can reliably trigger the race. However, the vulnerability is not in the CISA KEV catalog, suggesting active exploitation in the wild is not yet documented. The race window is narrow but exploitable through repeated attempts.

Remediation

Apply the upstream Linux kernel patch that fixes the synchronization issue by reordering the allocation, copy, and deallocation operations relative to mmu_lock. Systems should upgrade to a patched kernel version. Until patching is possible, mitigations include disabling nested virtualization (nesting=N module parameter for KVM on ARM64) if not required, restricting KVM access to trusted users only via cgroup or SELinux policies, and running workloads in containers with reduced privilege. However, these are temporary measures; kernel update is essential for a permanent fix.

Patch guidance

Kernel vendors and distributions should have released patched versions by late 2026. Check your distribution's security advisories for arm64-specific kernel updates. Verify patch availability through your vendor's security portal (e.g., Red Hat, Ubuntu, Debian). The upstream Linux repository should contain the fix in mainline. For systems on extended support cycles, backport patches may be released separately. Test patches in a non-production KVM environment first, as kernel updates require reboot and may affect live VMs.

Detection guidance

Monitor kernel logs for use-after-free warnings (UAF) or general protection faults triggered during nested VM creation/destruction. Enable kernel address sanitizer (KASAN) or similar debugging tools in test environments to catch the memory violation early. In production, watch for unexplained KVM guest crashes, particularly when nested virtualization is in active use. Network-based detection is not applicable; this is a local kernel issue. Security teams should correlate VM failures with timestamps of nested VM lifecycle events (creation, migration, destruction).

Why prioritize this

With a CVSS score of 8.8 (HIGH) and access requiring only local user privileges, this vulnerability poses significant risk to multi-tenant and virtualization-heavy deployments. The use-after-free nature makes it a potential vector for privilege escalation or reliable denial of service. Although not yet in CISA's KEV catalog, the combination of high severity, local exploitability, and production impact on ARM64 virtualization infrastructure warrants prompt patching. Prioritize systems running production KVM workloads, cloud infrastructure, and container orchestration platforms on ARM64.

Risk score, explained

The CVSS 8.8 score reflects: (1) local attack vector, reducing but not eliminating risk; (2) low complexity—race conditions are straightforward to trigger; (3) low privilege requirement—any user can exploit; (4) no user interaction needed; (5) scope change—the crash affects not just the attacker's VM but the host kernel and sibling VMs; (6) high impact on confidentiality, integrity, and availability through memory corruption and kernel panic. The score is NOT 9+ only because it requires local presence, but within that constraint, the risk is severe.

Frequently asked questions

Does this affect systems without nested virtualization?

No. Nested virtualization (VMs running inside VMs) must be enabled for the vulnerability to manifest. Systems with single-level KVM hosting are not vulnerable. Check your KVM module parameters and hypervisor configuration to verify nesting is disabled if it's not required.

Can this be exploited remotely?

No. The vulnerability requires local user-level code execution on the host system. Remote attackers cannot trigger it directly. However, a tenant in a public cloud with KVM nested virtualization enabled could exploit it to attack the host.

Is there a workaround short of a kernel patch?

Yes, but temporary: disable nested virtualization if unused (kvmmodule parameter nesting=0 on ARM64), restrict KVM device access to trusted users only via file permissions or SELinux, and isolate KVM workloads in separate security contexts. These reduce attack surface but do not fix the underlying bug. Patching is the only permanent solution.

How do I know if my ARM64 system is vulnerable?

Check your Linux kernel version against your vendor's security advisory. Your kernel must be ARM64-based and have KVM enabled. Run `uname -m` to confirm ARM64 and `grep kvm /proc/cpuinfo` to check for KVM. Then consult your distribution's (Red Hat, Ubuntu, Debian, etc.) security bulletins for patched versions and apply updates.

This analysis is based on the official CVE record and Linux kernel documentation as of the published and modified dates listed. CVSS scores, severity ratings, and affected product lists are derived from authoritative sources and should be verified against vendor advisories before deployment decisions. Patch version numbers and availability must be confirmed with your distribution's security team; this document does not substitute for vendor-specific guidance. Organizations should conduct their own risk assessment based on their infrastructure, threat model, and business requirements. SEC.co makes no warranties regarding the completeness or accuracy of this information beyond the stated sources and assumes no liability for decisions made in reliance on this analysis. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).