9.3
CRITICAL CVSS 3.1
CVE-2026-46316
KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
Description

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.

INFO

Published Date :

June 9, 2026, 1:16 p.m.

Last Modified :

June 14, 2026, 6:16 a.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2026-46316 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS 3.1 HIGH 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Solution
Fix the translation cache reference dropping logic to prevent double-free.
  • Only drop reference for the erased entry.
  • Ensure xa_erase() returns the correct entry.
  • Apply the vendor-supplied patch.
  • Update the Linux kernel.
Public PoC/Exploit Available at Github

CVE-2026-46316 has a 2 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-46316 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-46316 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

My original research on grok.com VMs

Updated: 6 hours, 45 minutes ago
0 stars 0 fork 0 watcher
Born at : July 1, 2026, 12:44 p.m. This repo has been linked 1 different CVEs too.

Look for possible escape vectors from a container

aws azure cicd devsecops docker kubernetes kubernetes-security cve-scanning kernel-hardening kernel-security

Shell

Updated: 1 week, 4 days ago
5 stars 0 fork 0 watcher
Born at : April 16, 2026, 9:50 a.m. This repo has been linked 22 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-46316 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2026-46316 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 14, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 09, 2026

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.
    Added Reference https://git.kernel.org/stable/c/13031fb6b8357fbbcded2a7f4cba73e4781ee594
    Added Reference https://git.kernel.org/stable/c/2bbc395e81bd29c543a0529a678327e932a7ec69
    Added Reference https://git.kernel.org/stable/c/9121f4605ab94969f62d1b5714ca3c6c69bd202f
    Added Reference https://git.kernel.org/stable/c/b7b72e88046328c9fdc638fe887d4240257dd5dc
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.