On 10 June 2026, researcher Hyunwoo Kim (@v4bel) posted the details of ITScape to the oss-security list, tracked as CVE-2026-46316. According to the author, this is the first guest-to-host escape exploit research targeting KVM on arm64. A malicious guest VM can break out of its isolation and run commands on the host with kernel privileges, that is, root.
What it is
The flaw sits in the vGIC-ITS, the emulation of the Interrupt Translation Service in the virtual interrupt controller that KVM exposes to arm64 guests. It is a use-after-free caused by a race condition in vgic_its_invalidate_cache(), tied to a broken reference count during cache invalidation.
The exploit path is specific. The guest sets up two ITS instances with interrupt table entries (ITEs) aliased to the same object. Several vCPUs then disable LPI delivery at the same time to force concurrent cache invalidation calls. That concurrency triggers a double put on vgic_irq objects, which lands in a use-after-free. From there the guest fills the freed memory with crafted fake interrupt structures and, through interrupt delivery resolution, redirects kernel execution toward gadgets that write to kernel memory (leaning on orderly_poweroff and related mechanisms).
Who it affects
It affects the Linux kernel running KVM on arm64 when the guest has vGIC v3. The vulnerable code has been present since commit 8201d1028caa (April 2024) up to its fix. The proof of concept was tuned for a specific kernel (Linux v7.1-rc6 aarch64) with hardcoded addresses and offsets, but the underlying bug is not limited to that build.
The real exposure is in multi-tenant virtualization: arm64 public clouds where VMs from different customers share a single host. There, a single customer’s VM can break the separation that keeps it apart from everyone else. For arm64 servers running trusted guests the risk is lower, though this is still a critical-severity flaw.
Severity
CVSS 9.3 (critical). Maximum impact: kernel-level code execution on the host and a complete loss of guest-host isolation. It needs no user inside the VM beyond control of the guest system itself, and the attack runs entirely from within the virtual machine.
Mitigation
The fix was merged into mainline Linux. Apply the relevant kernel patches:
- Commit
13031fb6b8357fbbcded2a7f4cba73e4781ee594(primary fix for CVE-2026-46316). - Commit
70543358fa08e0f7cebc3447c3b70fe97ad7aaa8(related CVE-2026-46317). - Commit
f2ca45b50d4216c9cc7ffabf50d9ad1932209251(additional recommended patch).
Update the kernel on any arm64 host that runs KVM guests as soon as your distribution ships packages with these changes. If you run a multi-tenant host, move the rollout up the queue: VM-to-VM isolation is exactly what this vulnerability breaks.
This case echoes other recent use-after-free bugs in the kernel’s virtualization paths, such as the integer underflow in vsock/virtio (CVE-2026-23069). For background on the kernel that backs all of this, see the Linux Kernel entry.
Source
- oss-security (openwall): ITScape: Guest-to-Host Escape in KVM/arm64
- NVD: CVE-2026-46316