CVE-2026-46316
Received Received - Intake
Reference Leak in Linux Kernel KVM vgic-its

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-46316
EUVD
EUVD-2026-35405
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's KVM arm64 vgic-its component. The issue arises because the function vgic_its_invalidate_cache() incorrectly drops references to cache entries multiple times when multiple contexts concurrently invalidate the same cache entries. Specifically, it drops the reference on the iterator pointer rather than the value returned by xa_erase(), which leads to the cache reference being dropped more than once for the same entry.

As a result, an entry can be freed while it is still mapped by an ITE (Interrupt Translation Entry), causing potential use-after-free scenarios. The fix ensures that only the entry actually removed by xa_erase() has its reference dropped, preventing multiple drops and ensuring safe concurrent invalidations.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's virtual interrupt controller for arm64 KVM. If exploited, it could cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges by manipulating the freed memory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46316. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart