ITScape: критическая уязвимость KVM/arm64 угрожает хостам ARM64

CVE-2026-46316, also known as ITScape, is a critical guest-to-host escape vulnerability in the vGIC-ITS (Interrupt Translation Service) emulation component of KVM/arm64. The issue was disclosed by researcher Hyunwoo Kim and affects ARM64-based virtualized infrastructures where untrusted guest operating systems are commonly deployed.

The vulnerability stems from a race condition in the vgic_its_invalidate_cache() function. In practice, this leads to a double-use-after-free scenario, which can be leveraged to execute host kernel code. For multitenant cloud environments, this is a particularly serious risk, as a successful exploit could break isolation between a guest and the host.

Why ITScape matters

According to the report, the vulnerability directly threatens multitenant ARM64 cloud environments, where untrusted guest operating systems are widespread. The impact is especially significant in scenarios where an attacker has access to a guest system but does not have root privileges there.

In such cases, the attacker may attempt to chain the vulnerability with other local privilege escalation techniques in order to reach the necessary execution context for exploitation.

Affected versions and patch timeline

The affected kernel range extends from commit 8201d1028caa dated 25 April 2024 to commit 13031fb6b835 dated 5 June 2026, when the required patch was integrated into the mainline kernel.

This timeline means that systems running kernels built from source between those points may be exposed unless they include the fix or vendor backports.

Detection and threat hunting: two YARA rules

To address the issue and support monitoring for possible exploitation, two dedicated YARA rules were created. These rules are intended both for detection and for threat intelligence collection in ARM64 cloud environments.

ITScape_ExploitConstants_1

The first rule, ITScape_ExploitConstants_1, is designed to identify nine hardcoded 64-bit constants embedded in the PoC source code. These constants include:

• kernel symbol addresses;
• a sentinel used for anti-leak measures;
• values encoded in little-endian format, typical for compiled ARM64 ELF binaries.

Testing against a known PoC binary matched seven of the nine constants, despite some differences caused by compiler variation. The rule intentionally keeps potentially variable constants in order to remain effective against future exploit variants and different build configurations.

ITScape_KVM_PrivDrop_1

The second rule, ITScape_KVM_PrivDrop_1, focuses on a unique, semantically meaningful instruction sequence inside the compiled binary. It includes a permission check for /dev/kvm, followed by a chain of privilege-dropping system calls:

• setgroups(0, NULL)
• setgid(1000)
• setuid(1000)

The byte patterns are designed to tolerate variation, making the signature resilient to different compiler outputs. This approach strengthens the reliability of meaningful instruction sequences as indicators of exploitation attempts.

What organizations should take away

For organizations operating on ARM64-based cloud infrastructure, the report underlines two priorities:

• verify whether host kernels fall within the affected commit range;
• deploy the YARA rules for detection and hunting of suspicious binaries or exploit artifacts.

In the context of shared cloud platforms, ITScape is not just another kernel bug. It is a potential escape from guest to host with direct implications for tenant isolation, host integrity, and incident response readiness.

Отчет получен из сервиса CTT Report Hub. Права на отчет принадлежат его владельцу.

Ознакомиться подробнее с отчетом можно по ссылке.

Оригинал публикации на сайте CISOCLUB: "ITScape: критическая уязвимость KVM/arm64 угрожает хостам ARM64".

Смотреть публикации по категориям: Новости | Мероприятия | Статьи | Обзоры | Отчеты | Интервью | Видео | Обучение | Вакансии | Утечки | Уязвимости | Сравнения | Дайджесты | Прочее.

Подписывайтесь на нас: MAX | VK | Rutube | Telegram | Дзен | YouTube.