CVE-2026-46171 Linux CVE debrief

Who should care

Organizations running Linux KVM virtualization on RISC-V hardware, cloud providers offering RISC-V instances, and kernel maintainers responsible for RISC-V architecture support

Technical summary

The function `kvm_riscv_vcpu_alloc_vector_context` in the Linux kernel's RISC-V KVM implementation performs two separate `kzalloc` allocations: one for `guest_context.vector.datap` and one for `host_context.vector.datap`. If the second allocation fails, the function returns an error code without freeing the first allocation, causing a memory leak. The fix adds proper error handling to free `guest_context.vector.datap` before returning when `host_context.vector.datap` allocation fails. This is a classic error-path resource leak pattern in kernel code.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from stable Linux kernel releases containing the referenced commits
• Monitor vendor security advisories for distribution-specific kernel packages
• Review systems running RISC-V KVM workloads for available memory pressure indicators
• Consider enabling kernel memory leak detection (KASAN/KMEMLEAK) in test environments to identify similar issues

Evidence notes

The vulnerability description is sourced from the official CVE record published by NVD on 2026-05-28. The fix is confirmed through three stable kernel Git commits referenced in the source data. No CVSS score or severity rating has been assigned as of the CVE's 'Awaiting Analysis' status.

Official resources