Skip to main content

Linux Kernel EUVDEUVD-2026-35405

| CVE-2026-46316 CRITICAL
Improper Update of Reference Count (CWE-911)
2026-06-09 Linux GHSA-qcxh-2cm7-9fcc
9.3
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.3 CRITICAL
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Attacker must be inside a KVM guest (AV:L, PR:L), win a multi-context race on host kernel state (AC:H), and the UAF crosses guest-to-host (S:C) with full host C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:30 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
9.3 (CRITICAL)
Patch available
Jun 09, 2026 - 14:01 EUVD
CVE Published
Jun 09, 2026 - 11:52 cve.org
CRITICAL 9.3
CVE Published
Jun 09, 2026 - 11:52 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry

vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().

The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.

xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.

AnalysisAI

Use-after-free in the KVM arm64 vGIC-ITS translation cache allows a malicious guest to corrupt host kernel memory by triggering concurrent cache invalidations that double-drop a single reference. The flaw affects Linux 6.10 and later until the stable backports, has no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability as very low (0.02%, 5th percentile) despite the CVSS 9.3 rating.

Technical ContextAI

The vulnerable code lives in arch/arm64/kvm/vgic/vgic-its.c, which implements emulation of the GICv3 Interrupt Translation Service for KVM-virtualised arm64 guests. vgic_its_invalidate_cache() iterates an xarray-backed per-ITS translation cache using xa_for_each() and drops each entry's refcount via vgic_put_irq(), but it passes the iteration pointer instead of the value returned by the atomic xa_erase(). Three call sites can run concurrently without mutual exclusion - ITS command handlers (its_lock), the GITS_CTLR write path (cmd_lock), and the EnableLPIs clear path in GICR_CTLR (no lock) - so two contexts can each observe, erase and put the same entry, dropping the single cache-held reference more than once. This is a classic CWE-416 (use-after-free) caused by a CWE-362 race condition; the freed irq descriptor can still be referenced by an outstanding ITE mapping, giving an attacker a dangling kernel pointer.

RemediationAI

Vendor-released patch: upgrade to Linux 6.12.93, 6.18.35, 7.0.12, or 7.1-rc7 or later, applying the appropriate stable backport from git.kernel.org/stable/c/b7b72e88046328c9fdc638fe887d4240257dd5dc (mainline) or the matching stable commits 2bbc395e, 9121f460, 13031fb6. Distribution-shipped kernels should be updated through normal channels once the backport lands (see https://nvd.nist.gov/vuln/detail/CVE-2026-46316 and https://seclists.org/oss-sec/2026/q2/877 for tracking). If immediate kernel update is not possible on arm64 KVM hosts, the only meaningful compensating control is to stop running untrusted guests with vGIC-ITS emulation - either disable ITS in the guest virtual machine definitions (which removes MSI/LPI support and degrades interrupt performance for PCIe passthrough and high-throughput virtio devices) or restrict guest creation to trusted tenants until the host is patched; firewalling does not help because the attack surface is intra-host.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Availability Extension 16.0 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Micro 6.2 Fixed
openSUSE Tumbleweed Fixed

Share

EUVD-2026-35405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy