PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46147 Linux CVE debrief

This CVE addresses two bugs in the KVM arm64 vCPU initialization path within the Linux kernel's protected KVM (pKVM) subsystem. The first bug involves a resource leak where pin references on host vCPU and SVE state pages are not released if a check fails after `hyp_pin_shared_mem()` succeeds, leading to permanent pin leaks. The second bug is a publication ordering issue where `register_hyp_vcpu()` publishes the new vCPU pointer into `hyp_vm->vcpus[]` using a bare store, potentially allowing concurrent callers of `pkvm_load_hyp_vcpu()` to observe a partially initialized vCPU object. The fix introduces a `register_hyp_vcpu()` helper to consolidate checks and stores, ensures proper unpinning on error paths, and replaces the bare store/load with `smp_store_release()` and `smp_load_acquire()` to guarantee proper memory ordering. The vulnerability was published on 2026-05-28 and affects the Linux kernel's KVM arm64 implementation. No CVSS score or severity has been assigned as of the CVE's current status (Awaiting Analysis).

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Linux kernels with KVM virtualization on ARM64 hardware, particularly those using protected KVM (pKVM) for confidential computing workloads. Cloud providers and enterprises with ARM64-based virtualization infrastructure should prioritize this patch to prevent resource exhaustion from pin leaks and potential stability issues from race conditions in vCPU initialization.

Technical summary

The vulnerability exists in `__pkvm_init_vcpu()` in the Linux kernel's protected KVM (pKVM) implementation for ARM64. Two distinct bugs are present: (1) A pin reference leak where `hyp_pin_shared_mem()` success is not properly paired with `unpin_host_vcpu()` and `unpin_host_sve_state()` calls on certain error paths, permanently leaking references to host vCPU and SVE state pages. (2) A publication ordering bug where the vCPU pointer is stored to `hyp_vm->vcpus[]` without proper memory barriers, potentially exposing a partially initialized `hyp_vcpu` object to concurrent readers. The fix extracts a `register_hyp_vcpu()` helper to centralize validation and storage, ensures proper cleanup on all error paths, and implements `smp_store_release()`/`smp_load_acquire()` pairs for safe publication even under potential lockless access scenarios.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant stable kernel patches once available for your distribution
  • Monitor Linux kernel stable releases for commits addressing CVE-2026-46147
  • Review pKVM deployments for potential resource exhaustion indicators from pin leaks
  • Ensure kernel memory ordering protections are in place for concurrent vCPU operations
  • Validate that host vCPU and SVE state page cleanup occurs correctly on initialization failures

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The fix involves kernel commits referenced in the source material. The vendor is identified as the Linux Kernel project based on the source domain evidence, though marked for review due to low confidence in automated vendor attribution.

Official resources

2026-05-28