Critical Linux Kernel Vulnerability (CVE-2026-46316) Exposes KVM/ARM64 Hosts to Guest-to-Host Escape
A proof-of-concept (PoC) exploit has been publicly released for CVE-2026-46316, a severe Linux kernel vulnerability dubbed "ITScape" that enables guest-to-host escape in KVM/ARM64 virtualization environments. Discovered by security researcher Hyunwoo Kim (V4bel), the flaw allows a malicious guest virtual machine (VM) to execute arbitrary commands on the host system with root-level kernel privileges.
The vulnerability resides in the vGIC-ITS (Virtual Generic Interrupt Controller – Interrupt Translation Service) emulation logic within the Linux kernel’s KVM implementation. A race condition in the code leads to a "double-put" scenario, enabling host kernel code execution without requiring interaction with user-space components like QEMU. Unlike traditional VM escape flaws, ITScape operates entirely within the kernel, making it particularly dangerous successful exploitation grants direct kernel access rather than just user-space compromise.
The PoC, released on GitHub, demonstrates how a crafted guest VM performing specific GIC/ITS memory-mapped I/O (MMIO) operations can trigger the race condition, escape the virtualized environment, and execute code on the host. Exploitation is confirmed by the creation of a root-owned file (/ITScape) on the host system. The PoC is designed for controlled testing using QEMU TCG to emulate ARM64 systems and is built atop Linux KVM self-tests.
The flaw affects Linux kernel versions between commits 8201d1028caa (April 2024) and 13031fb6b835 (June 5, 2026), prior to the patch. While the PoC is not fully weaponized for real-world cloud attacks, the researcher notes that adapting it for production environments would be feasible with adjustments to kernel configurations and memory layouts.
The vulnerability poses a major risk to multi-tenant cloud environments, particularly those running ARM64 infrastructure, as it undermines virtualization isolation. Successful exploitation could enable lateral movement, data exfiltration, or full infrastructure compromise. The disclosure followed a coordinated embargo via the Linux-distros security mailing list, and patches have since been released to mitigate the issue. Organizations are urged to update affected kernels and audit virtualization environments for exposure.
Source: https://gbhackers.com/poc-exploit-released-for-linux-kernel-vulnerability/
Kernel Foundation - Master Linux Kernel & LDD cybersecurity rating report: https://www.rankiteo.com/company/linux-kernel-foundation
"id": "LIN1781159040",
"linkid": "linux-kernel-foundation",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology, Cloud Computing, Data Centers',
'type': 'Cloud Service Providers, Enterprises using '
'ARM64 virtualization'}],
'attack_vector': 'Guest-to-Host Escape via KVM/ARM64 vGIC-ITS MMIO Operations',
'data_breach': {'data_exfiltration': 'Potential (if exploited in production '
'environments)'},
'description': 'A proof-of-concept (PoC) exploit has been publicly released '
'for CVE-2026-46316, a severe Linux kernel vulnerability '
"dubbed 'ITScape' that enables guest-to-host escape in "
'KVM/ARM64 virtualization environments. The flaw allows a '
'malicious guest virtual machine (VM) to execute arbitrary '
'commands on the host system with root-level kernel '
'privileges. The vulnerability resides in the vGIC-ITS '
'emulation logic within the Linux kernel’s KVM implementation, '
"leading to a race condition and 'double-put' scenario that "
'grants direct kernel access.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'cloud providers using affected '
'infrastructure',
'operational_impact': 'Potential full infrastructure compromise, '
'lateral movement, data exfiltration',
'systems_affected': 'Linux KVM/ARM64 hosts running vulnerable '
'kernel versions'},
'investigation_status': 'Patched and mitigated',
'lessons_learned': 'Importance of timely kernel updates and virtualization '
'isolation audits in multi-tenant cloud environments',
'motivation': 'Research/Proof-of-Concept',
'post_incident_analysis': {'corrective_actions': 'Kernel patches to fix the '
'race condition, enhanced '
'testing for KVM/ARM64 '
'virtualization',
'root_causes': 'Race condition in vGIC-ITS '
'emulation logic leading to a '
"'double-put' scenario"},
'recommendations': 'Update affected Linux kernels, audit ARM64 virtualization '
'environments, and monitor for signs of exploitation',
'references': [{'source': 'GitHub PoC Repository'}],
'response': {'communication_strategy': 'Coordinated disclosure via '
'Linux-distros security mailing list',
'containment_measures': 'Kernel patches released to mitigate the '
'vulnerability',
'enhanced_monitoring': 'Audit virtualization environments for '
'exposure',
'remediation_measures': 'Update affected Linux kernels to '
'patched versions'},
'stakeholder_advisories': 'Organizations urged to update affected kernels and '
'audit virtualization environments',
'threat_actor': 'Hyunwoo Kim (V4bel)',
'title': 'Critical Linux Kernel Vulnerability (CVE-2026-46316) Exposes '
'KVM/ARM64 Hosts to Guest-to-Host Escape',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-46316 (ITScape)'}