CVE-2026-46147
Analyzed Analyzed - Analysis Complete
Memory Leak in Linux Kernel KVM for ARM64

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() Two bugs exist in the vCPU initialisation path: 1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup path jumps to 'unlock' without calling unpin_host_vcpu() or unpin_host_sve_state(), permanently leaking pin references on the host vCPU and SVE state pages. Extract a register_hyp_vcpu() helper that performs the checks and the store. When register_hyp_vcpu() returns an error, call unpin_host_vcpu() and unpin_host_sve_state() inline before falling through to the existing 'unlock' label. 2. register_hyp_vcpu() publishes the new vCPU pointer into 'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU object. Ensure the store uses smp_store_release() and the load uses smp_load_acquire(). While 'vm_table_lock' currently serialises the store and the load, these barriers ensure the reader sees the fully initialised 'hyp_vcpu' object even if there were a lockless path or if the lock's own ordering guarantees were insufficient for nested object initialization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46147
EUVD
EUVD-2026-32774
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel to 6.18.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is resolved by fixing the pin leak and publication ordering in the Linux kernel's KVM arm64 code, specifically in the __pkvm_init_vcpu() function.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this vulnerability.

Executive Summary

This vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) arm64 code, specifically in the vCPU initialization path within the __pkvm_init_vcpu() function.

There are two main bugs: First, if a check fails after successfully pinning shared memory with hyp_pin_shared_mem(), the cleanup process skips necessary unpinning functions, causing a permanent leak of pin references on the host vCPU and SVE state pages.

Second, the function register_hyp_vcpu() publishes a new vCPU pointer using a bare store, which can allow concurrent callers to observe a partially initialized vCPU object. This is fixed by using memory barriers (smp_store_release() and smp_load_acquire()) to ensure proper publication ordering and visibility of the fully initialized object.

Impact Analysis

The vulnerability can lead to resource leaks on the host system due to pin references not being properly released, which may degrade system stability or performance over time.

Additionally, the exposure of partially initialized vCPU objects could potentially cause unpredictable behavior or security issues in virtualized environments, such as data corruption or privilege escalation, although specific impacts are not detailed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart