Skip to main content

Linux Kernel EUVDEUVD-2026-35406

| CVE-2026-46317 HIGH
2026-06-09 Linux GHSA-5vrh-8j67-jvj4
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local KVM ioctl access (AV:L, PR:L); narrow TOCTOU window between mmu_lock and config_lock makes AC:H; UAF in guest context corrupts host kernel, so S:C with full CIA impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:31 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
8.8 (HIGH)
Patch available
Jun 09, 2026 - 14:01 EUVD
CVE Published
Jun 09, 2026 - 11:52 cve.org
HIGH 8.8
CVE Published
Jun 09, 2026 - 11:52 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Reassign nested_mmus array behind mmu_lock

kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.

Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.

AnalysisAI

Use-after-free in the Linux kernel KVM subsystem on arm64 allows a local attacker with the ability to manipulate nested virtualization state to dereference a freed nested_mmus array, with potential scope-crossing impact from guest to host kernel memory. Triggered by a race between kvm_vcpu_init_nested() reallocating the array under config_lock and MMU notifier walkers (kvm_unmap_gfn_range) traversing it under mmu_lock. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.

Technical ContextAI

The flaw lives in arch/arm64/kvm nested virtualization support, specifically the kvm->arch.nested_mmus[] array used to track nested-stage-2 MMUs for L2 guests on ARMv8.4+ NV-capable hosts. Two locks protect different concerns: mmu_lock is held during MMU notifier callbacks that walk nested_mmus to unmap GFN ranges, while config_lock guards configuration changes such as initializing a new nested vCPU. kvm_vcpu_init_nested() resized the array and freed the old buffer while holding only config_lock, leaving readers under mmu_lock with a dangling pointer - a classic locking-domain mismatch leading to a use-after-free (CWE-416), with the race element of CWE-362. The fix allocates the new array outside mmu_lock (allocation can sleep), then under mmu_lock copies entries, fixes back-pointers, swaps the pointer, and defers kvfree() of the old buffer until after the lock is dropped.

RemediationAI

Upstream fix available (commits 918450ad, 70543358, 4424dbcb on git.kernel.org/stable); upgrade to a stable kernel containing the fix, with Linux 6.18.35 identified in EUVD data as a patched release, and pull the equivalent backport from your distribution (RHEL, SUSE, Ubuntu, Debian) once published. As a compensating control on hosts that have not been patched, disable nested virtualization on arm64 KVM by ensuring the kvm-arm.mode= kernel command line is not set to nested, or by withholding the CAP_NESTED_VIRT-equivalent guest configuration from VMs - this prevents reaching kvm_vcpu_init_nested() at the cost of breaking L2-guest workloads. Additionally, restrict /dev/kvm access via group permissions and SELinux/AppArmor policies to trusted operators only, since exploitation requires the ability to drive KVM ioctls. References: https://seclists.org/oss-sec/2026/q2/877 and https://vuldb.com/vuln/369525.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Availability Extension 16.0 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Micro 6.2 Fixed
openSUSE Tumbleweed Fixed

Share

EUVD-2026-35406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy