Skip to main content

Linux Kernel CVE-2026-46147

| EUVDEUVD-2026-32774 MEDIUM
Memory Leak (CWE-401)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-m978-f9gm-gj2j
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects that pKVM must be explicitly enabled (non-default) and the race condition requires concurrent initialization; PR:L correctly captures required KVM device group membership.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:32 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()

Two bugs exist in the vCPU initialisation path:

  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup

path jumps to 'unlock' without calling unpin_host_vcpu() or unpin_host_sve_state(), permanently leaking pin references on the host vCPU and SVE state pages.

Extract a register_hyp_vcpu() helper that performs the checks and the store. When register_hyp_vcpu() returns an error, call unpin_host_vcpu() and unpin_host_sve_state() inline before falling through to the existing 'unlock' label.

  1. register_hyp_vcpu() publishes the new vCPU pointer into

'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU object.

Ensure the store uses smp_store_release() and the load uses smp_load_acquire(). While 'vm_table_lock' currently serialises the store and the load, these barriers ensure the reader sees the fully initialised 'hyp_vcpu' object even if there were a lockless path or if the lock's own ordering guarantees were insufficient for nested object initialization.

AnalysisAI

Two distinct bugs in the Linux kernel's pKVM (protected KVM) arm64 vCPU initialization path allow a local low-privileged user to cause persistent resource pin leaks and observe partially initialized memory objects. The pin leak (Bug 1) occurs when an error path in __pkvm_init_vcpu() jumps to cleanup without releasing hyp_pin_shared_mem() references on host vCPU and SVE state pages, permanently exhausting pin references and ultimately degrading or crashing the hypervisor subsystem. A separate memory ordering flaw (Bug 2) uses a bare store to publish the vCPU pointer into hyp_vm->vcpus[], allowing a concurrent pkvm_load_hyp_vcpu() caller to read a partially initialized vCPU object. No active exploitation has been identified and EPSS is 0.02%, consistent with a kernel subsystem bug affecting a specialized configuration rather than a broadly targeted attack surface.

Technical ContextAI

The vulnerability resides in the arm64 pKVM (protected KVM) hypervisor subsystem within the Linux kernel, specifically in the __pkvm_init_vcpu() function responsible for initializing guest vCPU objects in the protected hypervisor memory region. The root cause class is CWE-401 (Missing Release of Memory after Effective Lifetime), manifesting as leaked pin references obtained via hyp_pin_shared_mem() for both the host vCPU structure and SVE (Scalable Vector Extension) register-state pages. Pin references in this context are counted references that prevent host pages from being reclaimed or remapped while the hypervisor operates on them; leaking them permanently prevents release of those pages. Bug 2 is a memory ordering flaw: a bare C store is used to publish the hyp_vcpu pointer into hyp_vm->vcpus[], which on weakly ordered architectures (arm64 uses a relaxed memory model) does not guarantee that all prior writes to the hyp_vcpu object are visible before the pointer itself becomes visible to concurrent readers. The fix uses smp_store_release() on the write side and smp_load_acquire() on the read side to establish the required happens-before relationship. The affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covering all versions from the initial kernel commit through the fix points.

RemediationAI

Upgrade to Linux kernel 6.18.30 or later on the 6.18.x stable branch (patch commit 7d3c27b54253cda91dc4d2c1bfc109c490837ab9 at https://git.kernel.org/stable/c/7d3c27b54253cda91dc4d2c1bfc109c490837ab9), or upgrade to Linux kernel 7.0.7 or later on the 7.0.x branch (patch commit 73b9c1e5da84cd69b1a86e374e450817cd051371 at https://git.kernel.org/stable/c/73b9c1e5da84cd69b1a86e374e450817cd051371). Mainline users running 7.1-rc1 should update to 7.1-rc2 or later (patch commit 6d69c0ed978f7f0efd053fc98390f25ab77c1aea at https://git.kernel.org/stable/c/6d69c0ed978f7f0efd053fc98390f25ab77c1aea). As a compensating control where patching is not immediately feasible, restricting access to /dev/kvm to only trusted users or service accounts limits exposure to the low-privilege requirement; this does not eliminate the vulnerability but reduces the attack surface to authorized hypervisor operators. Disabling pKVM entirely (if the deployment does not require protected VM isolation) eliminates the vulnerable code path completely, though this removes the hypervisor memory isolation guarantees that pKVM is designed to provide.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy