CVE-2026-46147
Received Received - Intake
Memory Leak in Linux Kernel KVM for ARM64

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() Two bugs exist in the vCPU initialisation path: 1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup path jumps to 'unlock' without calling unpin_host_vcpu() or unpin_host_sve_state(), permanently leaking pin references on the host vCPU and SVE state pages. Extract a register_hyp_vcpu() helper that performs the checks and the store. When register_hyp_vcpu() returns an error, call unpin_host_vcpu() and unpin_host_sve_state() inline before falling through to the existing 'unlock' label. 2. register_hyp_vcpu() publishes the new vCPU pointer into 'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU object. Ensure the store uses smp_store_release() and the load uses smp_load_acquire(). While 'vm_table_lock' currently serialises the store and the load, these barriers ensure the reader sees the fully initialised 'hyp_vcpu' object even if there were a lockless path or if the lock's own ordering guarantees were insufficient for nested object initialization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46147
EUVD
EUVD-2026-32774
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by fixing the pin leak and publication ordering in the Linux kernel's KVM arm64 code, specifically in the __pkvm_init_vcpu() function.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this vulnerability.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) arm64 code, specifically in the vCPU initialization path within the __pkvm_init_vcpu() function.

There are two main bugs: First, if a check fails after successfully pinning shared memory with hyp_pin_shared_mem(), the cleanup process skips necessary unpinning functions, causing a permanent leak of pin references on the host vCPU and SVE state pages.

Second, the function register_hyp_vcpu() publishes a new vCPU pointer using a bare store, which can allow concurrent callers to observe a partially initialized vCPU object. This is fixed by using memory barriers (smp_store_release() and smp_load_acquire()) to ensure proper publication ordering and visibility of the fully initialized object.


How can this vulnerability impact me? :

The vulnerability can lead to resource leaks on the host system due to pin references not being properly released, which may degrade system stability or performance over time.

Additionally, the exposure of partially initialized vCPU objects could potentially cause unpredictable behavior or security issues in virtualized environments, such as data corruption or privilege escalation, although specific impacts are not detailed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart