In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Fix pin leak and publication ordering in __pkvminitvcpu()
Two bugs exist in the vCPU initialisation path:
If a check fails after hyppinsharedmem() succeeds, the cleanup path jumps to 'unlock' without calling unpinhostvcpu() or unpinhostsvestate(), permanently leaking pin references on the host vCPU and SVE state pages.
Extract a registerhypvcpu() helper that performs the checks and the store. When registerhypvcpu() returns an error, call unpinhostvcpu() and unpinhostsve_state() inline before falling through to the existing 'unlock' label.
registerhypvcpu() publishes the new vCPU pointer into 'hypvm->vcpus[]' with a bare store, allowing a concurrent caller of pkvmloadhypvcpu() to observe a partially initialised vCPU object.
Ensure the store uses smpstorerelease() and the load uses smploadacquire(). While 'vmtablelock' currently serialises the store and the load, these barriers ensure the reader sees the fully initialised 'hyp_vcpu' object even if there were a lockless path or if the lock's own ordering guarantees were insufficient for nested object initialization.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46147.json",
"cna_assigner": "Linux"
}