PoC exploit released for critical Linux KVM guest-to-host escape flaw

A proof-of-concept exploit for CVE-2026-46316, a race condition in Linux kernel’s KVM/arm64 interrupt emulation, was published on GitHub on Tuesday.github
Researcher Hyunwoo Kim called it the first known guest-to-host escape targeting KVM/arm64, bypassing user-space protections like QEMU entirely.securityonline
Linux kernel maintainers have merged a patch, and cloud operators running multi-tenant ARM64 environments are urged to apply it immediately.securityonline

PoC Exploit Released for Critical Linux Kernel Guest-to-Host Escape Flaw

A proof-of-concept exploit for a critical Linux kernel vulnerability that allows a malicious guest virtual machine to escape its sandbox and execute commands on the host with full kernel privileges has been publicly released, raising urgent concerns for operators of ARM64 cloud infrastructure.

The Vulnerability

The flaw, tracked as CVE-2026-46316 and dubbed “ITScape,” was discovered and reported by security researcher Hyunwoo Kim (@v4bel). It targets KVM/arm64’s vGIC-ITS (virtual Generic Interrupt Controller – Interrupt Translation Service) emulation, exploiting a race condition in how the translation cache handles concurrent invalidation requests.debian

According to the official disclosure posted to the oss-sec mailing list on June 10, the vulnerability allows “a guest escape to the host in a KVM/arm64 environment and run commands on the host with kernel (root) privilege”. The researcher’s GitHub repository states that “to the best of public knowledge, this is the first guest-to-host escape exploit research targeting KVM/arm64”.securityonline

Technical Details

The root cause lies in the `vgic_its_invalidate_cache()` function, which walks the per-ITS translation cache and drops references on each entry. Multiple code paths — ITS command handlers, the GITS_CTLR write path, and the redistributor GICR_CTLR path — can drain the same cache concurrently without proper exclusion. When two or more contexts observe and erase the same entry, the cache’s single reference is dropped more than once, creating a use-after-free condition.debian

Unlike typical virtualization escapes that target user-space emulators like QEMU, ITScape exists within the in-kernel KVM itself, bypassing standard user-space protections entirely. Exploitation requires guest kernel (EL1) privileges to drive the necessary GIC/ITS MMIO interactions, but the disclosure notes it “triggers the bug with guest-side actions alone to escape to the host”.securityonline

Patch and Mitigation

The vulnerability affects arm64 kernel versions spanning from late April 2024 through early June 2026. A patch was merged by Linux kernel maintainers that modifies the invalidation logic so that `vgic_put_irq()` drops its reference “only on the value returned by xa_erase()”. The CVE record was published on June 9, and the PoC code appeared on GitHub the following day.github

Cloud operators running multi-tenant ARM64 KVM environments are urged to verify the patch is applied immediately, as the public availability of working exploit code places unpatched systems at direct risk of host compromise from any tenant with guest kernel access.securityonline