PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability

Staff Editor 2026-06-11
PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability

PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability

https://cybersecuritynews.com/poc-exploit-released-linux-kernel-vulnerability/

Publish Date: 2026-06-11 08:29:00

Source Domain: cybersecuritynews.com

A proof-of-concept (PoC) exploit has been released for a critical Linux kernel vulnerability, CVE-2026-46316, that enables a guest-to-host escape in KVM environments on arm64 systems.

The flaw, named “ITScape,” allows attackers to break out of a virtual machine and execute arbitrary commands on the host with full kernel-level privileges.

The vulnerability was discovered by security researcher Hyunwoo Kim (V4bel) and affects the in-kernel KVM implementation rather than user-space components like QEMU.

This makes the issue particularly severe, as exploitation results in a direct compromise of the host kernel rather than a confined user-space process.

ITScape is caused by a race condition in the vGIC-ITS (Interrupt Translation Service) emulation within KVM on arm64.

By triggering specific interrupt-related operations from within a guest, an attacker can exploit a “double-put” condition that leads to memory corruption.

This corruption can then be leveraged to achieve arbitrary code execution in the host kernel context.

PoC Exploit Released for Linux kernel Vulnerability

The released PoC demonstrates how the vulnerability can be triggered entirely from the guest VM without requiring any interaction from the host.

In the test setup, the exploit uses KVM self-tests and runs within a QEMU TCG environment to emulate an ARM64 host.

The guest code performs crafted GIC/ITS MMIO operations that trigger a flaw in KVM’s interrupt handling logic, ultimately leading to host-level code execution.

 Successful exploitation is confirmed by creating a file named “/ITScape” on the host system with root ownership. Although the PoC is not fully weaponized for real-world attacks, it reliably demonstrates the complete exploit chain.

Researcher Hyunwoo Kim (V4bel) noted on GitHub that attackers familiar with cloud infrastructure could adapt the technique by tuning memory offsets, timing conditions, and kernel-specific parameters,…

Source

More Stories

You can replace almost every Windows app on Linux — except these 4

You can replace almost every Windows app on Linux — except these 4

Staff Editor 2026-06-11
This New Kit Turns a Raspberry Pi Into a High-End Linux Handheld

This New Kit Turns a Raspberry Pi Into a High-End Linux Handheld

Staff Editor 2026-06-11
Juno Tab 4 LTE Brings Intel N300 Power to a Rare Linux Tablet

Juno Tab 4 LTE Brings Intel N300 Power to a Rare Linux Tablet

Staff Editor 2026-06-11

Terms and Conditions - Privacy Policy