Podcast Episode
The practical risk is significant. Cloud operators running multi-tenant ARM64 KVM environments are urged to verify the patch is applied immediately. Because working exploit code is now public, any tenant with guest kernel access on an unpatched system poses a direct threat of full host compromise, potentially exposing every other virtual machine running on the same hardware. With ARM64 increasingly central to modern cloud fleets, the disclosure is a stark reminder that the isolation boundary between tenants is only as strong as the kernel enforcing it.
PoC Exploit Released for Critical Linux KVM Guest-to-Host Escape Flaw (CVE-2026-46316)
June 11, 2026
0:00
5:30
A working proof-of-concept exploit has been published for CVE-2026-46316, dubbed 'ITScape', a critical vulnerability in Linux KVM on ARM64 that lets a malicious guest virtual machine break out of its sandbox and run commands on the host with full kernel privileges. Discovered by researcher Hyunwoo Kim, the flaw is described as the first public guest-to-host escape targeting KVM/arm64. Cloud operators running multi-tenant ARM64 infrastructure are urged to patch immediately.
A First-of-its-Kind Escape
Security researcher Hyunwoo Kim, known online as @v4bel, has disclosed a critical Linux kernel vulnerability that allows a malicious guest virtual machine to escape its sandbox and execute commands on the host with full kernel, or root, privileges. Tracked as CVE-2026-46316 and nicknamed 'ITScape', the flaw was detailed on the oss-sec mailing list on June 10, with a proof-of-concept exploit appearing on GitHub the same day. The researcher's repository states that, to the best of public knowledge, this is the first guest-to-host escape exploit research targeting KVM on ARM64.How It Works
The vulnerability lives in KVM/arm64's vGIC-ITS emulation, the virtual Generic Interrupt Controller's Interrupt Translation Service. The root cause is in the vgic_its_invalidate_cache() function, which walks a per-ITS translation cache and drops references on each entry. Multiple code paths, including ITS command handlers, the GITS_CTLR write path, and the redistributor GICR_CTLR path, can drain the same cache concurrently without proper exclusion. When two or more contexts observe and erase the same entry, the cache's single reference is dropped more than once, creating a use-after-free condition that can be steered into code execution.Why This One Is Different
Most virtualisation escapes target user-space emulators such as QEMU, where additional sandboxing can blunt an attack. ITScape is different: it exists within the in-kernel KVM itself, bypassing standard user-space protections entirely. Exploitation requires guest kernel (EL1) privileges to drive the necessary GIC and ITS memory-mapped IO interactions, but the disclosure notes the bug is triggered with guest-side actions alone to escape to the host.Patch and Mitigation
The vulnerability affects ARM64 kernel versions spanning from late April 2024 through early June 2026. Linux kernel maintainers merged a patch that modifies the invalidation logic so that vgic_put_irq() drops its reference only on the value returned by xa_erase(), closing the double-drop window. The CVE record was published on June 9, and Debian and SUSE security trackers have begun cataloguing affected packages.The practical risk is significant. Cloud operators running multi-tenant ARM64 KVM environments are urged to verify the patch is applied immediately. Because working exploit code is now public, any tenant with guest kernel access on an unpatched system poses a direct threat of full host compromise, potentially exposing every other virtual machine running on the same hardware. With ARM64 increasingly central to modern cloud fleets, the disclosure is a stark reminder that the isolation boundary between tenants is only as strong as the kernel enforcing it.
Published June 11, 2026 at 3:02pm
