HIGH
kvm NestedMMU UAF
CVE-2026-46317
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Reassign nested_mmus array behind mmu_lock kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array. Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger a use-after-free in KVM's ARM64 nested virtualization by racing array reallocation with MMU notifier callbacks. This can lead to kernel memory corruption, privilege escalation, or system crashes on systems running nested virtual machines.
Vulnerability analysis
The vulnerability occurs in kvm_vcpu_init_nested() which reallocates the nested_mmus array while holding only config_lock, but the array is accessed from MMU notifier paths under mmu_lock. This creates a race where kvm_unmap_gfn_range() can access the freed old array buffer after reallocation. The fix moves the array reassignment inside mmu_lock protection, allocating the new buffer outside the lock, copying existing entries and fixing back-pointers under the lock, then freeing the old buffer after releasing the lock. This affects systems with ARM64 nested virtualization enabled and requires local access with sufficient privileges to create/manage VMs.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.35 | 918450ad6010 |
| 7.0 | 7.0.12 | 4424dbcb06d6 |
| mainline | 7.1-rc7 | 70543358fa08 |