Threat Research

How to defend ARM64 cloud infrastructure from ITScape

Reversinglabs
How to defend ARM64 cloud infrastructure from ITScape
ITScape (CVE-2026-46316) is a guest-to-host escape flaw in KVM/arm64 vGIC-ITS emulation that can lead to host kernel code execution on multi-tenant cloud systems. RL released two YARA rules and guidance to detect exploit constants and the /dev/kvm privilege-drop sequence, while urging operators to patch the mainline fix and companion updates. #ITScape #CVE-2026-46316 #KVM #vGIC-ITS

Keypoints

  • ITScape (CVE-2026-46316) is a guest-to-host escape vulnerability in vGIC-ITS emulation within KVM/arm64.
  • The issue was disclosed by researcher Hyunwoo Kim (V4bel) via oss-security on June 10.
  • The root cause is a race condition in vgic_its_invalidate_cache() that leads to a double-put use-after-free.
  • Successful exploitation can result in host kernel code execution, not just user-space compromise.
  • The vulnerability is especially dangerous for multi-tenant arm64 cloud environments that run untrusted guests.
  • RL created two YARA rules: one to detect hardcoded exploit constants and another to detect a /dev/kvm privilege-drop pattern.
  • Defenders are advised to apply the mainline patch at commit 13031fb6b835 and the companion fixes, and to keep monitoring the vgic-its code path.

MITRE Techniques

  • [T1068 ] Exploitation for Privilege Escalation – The exploit leverages a kernel bug to gain higher privileges on the host, producing host kernel code execution (‘ultimately enabling host kernel code execution’).
  • [T1055 ] Process Injection – Not mentioned.
  • [T1069 ] Permission Groups Discovery – The PoC checks whether /dev/kvm has group read/write permissions before continuing (‘group permission check (st_mode & 0x6 == 0x6) on /dev/kvm’).
  • [T1082 ] System Information Discovery – The exploit uses stat(2) on /dev/kvm to inspect file mode information (‘stat(2) group permission check’).
  • [T1548 ] Abuse Elevation Control Mechanism – The code drops and manipulates privileges with setgroups, setgid, and setuid during execution (‘setgroups(0, NULL) / setgid(1000) / setuid(1000)’).
  • [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – Not mentioned.
  • [T1203 ] Exploitation for Client Execution – Not mentioned.
  • [T1068 ] Exploitation for Privilege Escalation – A local privilege escalation may be chained when attacker lacks guest root (‘can be chained with a local privilege escalation’).

Indicators of Compromise

  • [SHA256 ] PoC binary hash for the ITScape proof-of-concept – e0ab84da2d2783c8cae3624e8ce58b99ad79219753b249671ff7f743abdacc35
  • [File/Path ] Privilege-drop rule context on the target device – /dev/kvm
  • [YARA Rule Name ] Detection for hardcoded exploit constants – ITScape_ExploitConstants_1, ITScape_KVM_PrivDrop_1
  • [GitHub Reference ] Reference linked in the YARA metadata for the PoC source – https://github.com/V4bel/ITScape/blob/main/poc.c
  • [Commit Hash ] Vulnerability fixed in mainline at this commit – 13031fb6b835
  • [Commit Hash ] Affected kernel range begins after this commit – 8201d1028caa

Read more: https://www.reversinglabs.com/blog/defend-cloud-infrastructure-itscape

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint