ITScape: The KVM arm64 Guest Escape That Reaches Host Kernel. AWS Graviton and Azure Ampere Are the Target Class.

The researcher's proof-of-concept demonstration is clean: run the exploit inside a guest VM, watch a file appear at /ITScape on the host, owned by root. Guest to host kernel in one shot.

CVE-2026-46316, named ITScape, is a use-after-free in Linux KVM's arm64 implementation of the virtual GIC Interrupt Translation Service — vgic-its. CVSS 9.3.

The Vulnerability

The flaw is a race condition in vgic_its_invalidate_cache() combined with vgic_its_process_commands(). During concurrent interrupt translation cache invalidation, the kernel drops the cache's reference to a translation entry more than once — a double-put. Two concurrent accesses to the same vgic_irq refcount produce the double-put, leaving a freed kmalloc-96 object in the host kernel still referenced and reachable.

From there: use-after-free exploitation technique, full host kernel code execution, uid 0. The exploit escapes the guest and reaches the host kernel directly, bypassing every virtualization boundary that was supposed to exist.

The fix is in mainline Linux at commit 13031fb6b835, merged June 5, 2026. The vulnerable window runs from commit 8201d1028caa (April 25, 2024) — over two years of exposure in affected kernels.

Why arm64 Is the Right Target Class Right Now

The vulnerability only affects arm64. The vgic-its code lives entirely within arch/arm64/kvm/vgic/ and has no x86 equivalent. x86 KVM is not affected.

This would have been a niche concern two years ago. arm64 server adoption has changed that calculus dramatically.

AWS Graviton — AWS's custom arm64 processor, now across EC2, Lambda, Fargate, RDS, and more. Graviton instances are cheaper and often faster than equivalent x86 for many workloads. A significant fraction of AWS workloads migrated to Graviton over the last three years.

Azure Ampere Altra — Azure's arm64 VM tier. Microsoft has been expanding Ampere availability across regions.

Hetzner, OVH, Scaleway — European cloud providers have arm64 offerings, often used by budget-conscious customers running Linux workloads.

Any multi-tenant arm64 cloud environment running an unpatched Linux kernel is vulnerable. An attacker who can deploy a VM — or compromise a VM through another vulnerability — on the same physical host can potentially escape to the host kernel.

The Multi-Tenant Threat Model

The cloud trust model depends on hypervisor isolation. Two customers on the same physical host cannot, by design, see or affect each other's workloads. The hypervisor is the enforcement boundary.

ITScape breaks that boundary on arm64. An attacker who controls a guest — through initial access to one of their own VMs, or through compromising another customer's VM — can reach the host kernel. From the host kernel, the attacker can read memory belonging to other guests, interfere with other VMs, or establish persistent access to the physical host itself.

The specific exploitation path requires the attacker to be inside a guest. That is not a high bar: anyone who can launch an EC2 instance, spin up an Azure VM, or compromise a shared tenant's workload has guest access. The question is whether the host kernel underneath that guest is patched.

What Cloud Providers Should Have Done By Now

The patch has been in mainline Linux since June 5 — three weeks. Major cloud providers typically push kernel updates to their fleets within days for critical vulnerabilities. AWS, Azure, and GCP should all have applied the fix to their hypervisor kernels.

The risk is not the major cloud providers — it is:

Managed Kubernetes providers and container platforms running on arm64 infrastructure where kernel update cadence is slower than the hypervisor fleet.

Private cloud deployments on arm64 hardware — on-premises Graviton-based infrastructure, private OpenStack or KVM-based clouds that don't have automatic kernel patching.

VPS providers and budget hosters on arm64 who run older kernels and update infrequently.

Embedded systems and edge computing using arm64 Linux with KVM for virtualization — industrial, telco, healthcare appliances running virtualized workloads.

For Workloads Running on arm64

If you are running workloads on arm64 cloud infrastructure and you are responsible for the kernel:

Check your kernel version against commit 13031fb6b835. If your kernel predates the June 5 fix, you are running vulnerable vgic-its code.

If you are a tenant on a managed cloud provider, contact them for confirmation that their arm64 hypervisor fleet has been patched. Most major providers have patched. Confirmation is worth having documented.

If you are running private arm64 KVM infrastructure, patch now. The PoC is public.

Sources: oss-security disclosure — Meterpreter — technical breakdown — SecurityOnline — PoC disclosed — ReversingLabs — defense guidance

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register