A critical security vulnerability, CVE-2026-46316, has been identified in ITScape KVM that allows untrusted guest virtual machines in KVM/arm64 environments to escape their isolation and execute commands on the host with root privileges. Discovered by researcher Hyunwoo Kim, the issue arises from a race condition within VGIC-ITS emulation, which can be exploited by attackers with basic guest access due to root privileges typically granted in public cloud deployments.
A proof-of-concept exploit code has been released, significantly raising the threat level for unpatched systems. Cloud operators are urged to apply a patch already merged by Linux kernel maintainers to mitigate the risks, which affect arm64 kernel versions from late April 2024 to early June 2026.