How to defend ARM64 cloud infrastructure from ITScape
ITScape (CVE-2026-46316) is a critical guest-to-host escape vulnerability located in the vGIC-ITS emulation of KVM/arm64. By exploiting a race condition that triggers a double-put use-after-free, an attacker with guest kernel privileges can execute arbitrary code on the host kernel, completely compromising the hypervisor and threatening multi-tenant cloud infrastructure.
- cve
- cve
- sha256e0ab84da2d2783c8cae3624e8ce58b99ad79219753b249671ff7f743abdacc35SHA256 hash of the ITScape exploit Proof of Concept (PoC) binary.
- urlhxxps://github[.]com/V4bel/ITScape/blob/main/poc[.]cURL hosting the Proof of Concept (PoC) source code for the ITScape exploit.
Detection / HunterGoogle
What Happened
A critical security flaw named ITScape was discovered in the software that manages virtual machines on ARM64 processors. This vulnerability allows an attacker inside a virtual machine to break out and take full control of the underlying host server. This is especially dangerous for cloud providers who host multiple customers on the same physical hardware. Organizations running ARM64 cloud infrastructure should immediately apply the provided software patches to secure their systems.
Key Takeaways
- ITScape (CVE-2026-46316) is a critical guest-to-host escape vulnerability in the vGIC-ITS emulation within KVM/arm64.
- Exploitation yields host kernel privileges from a guest, posing a severe threat to multi-tenant cloud environments.
- The root cause is a race condition in the vgic_its_invalidate_cache() function leading to a double-put use-after-free.
- A Proof of Concept (PoC) exploit exists, and YARA rules have been developed to detect its specific constants and privilege-dropping behaviors.
- Defenders must prioritize applying the mainline kernel patch at commit 13031fb6b835.
Affected Systems
- KVM/arm64 hosts
- Linux kernels from commit 8201d1028caa (2024-04-25) through 13031fb6b835 (2026-06-05)
Vulnerabilities (CVEs)
- CVE-2026-46316
- CVE-2026-46317
Attack Chain
The attacker, starting with guest kernel privileges, triggers a race condition in the vgic_its_invalidate_cache() function within the KVM/arm64 vGIC-ITS emulation. This race condition causes a double-put use-after-free vulnerability in the host kernel. The attacker leverages this memory corruption to execute arbitrary code on the host, successfully escaping the guest virtual machine and gaining host root privileges.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: ReversingLabs
The article provides two YARA rules designed to detect the ITScape PoC binary by matching hardcoded 64-bit exploit constants and a specific privilege-dropping instruction sequence.
Detection Engineering Assessment
EDR Visibility: Low — The vulnerability occurs entirely within the in-kernel KVM space, bypassing standard user-space EDR hooks. Detection relies heavily on scanning guest binaries or monitoring host-level anomalous kernel behavior. Network Visibility: None — This is a local guest-to-host escape vulnerability with no inherent network footprint. Detection Difficulty: Hard — Detecting in-kernel exploitation requires specialized hypervisor or kernel-level telemetry that is often unavailable or noisy.
Required Log Sources
- Host Kernel Logs
- KVM/QEMU Logs
- Host Process Execution Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unexpected processes or commands (such as '/bin/touch /ITScape') originating from KVM worker processes or kernel threads on the host. | Host Process Execution Logs | Execution | Low |
| Consider monitoring for anomalous privilege dropping sequences (setgroups, setgid, setuid) executed by unexpected binaries interacting with /dev/kvm. | Host System Call Logs | Privilege Escalation | Medium |
Control Gaps
- User-space EDR visibility into kernel-level KVM operations
- Guest-level security controls cannot prevent hypervisor exploitation
Key Behavioral Indicators
- Presence of hardcoded exploit constants (e.g., ORDERLY_POWEROFF, POWEROFF_CMD) in compiled ARM64 ELF binaries
- Specific instruction sequences performing stat on /dev/kvm followed by setgroups/setgid/setuid
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Prioritize applying the mainline patch at commit 13031fb6b835 and companion fixes for CVE-2026-46317 on all arm64 KVM hosts.
Infrastructure Hardening
- Evaluate the risk to multi-tenant arm64 infrastructure and consider isolating untrusted guests to dedicated physical hosts where possible.
- Implement strict monitoring of the vgic-its code path and related KVM kernel functions.
User Protection
- N/A
Security Awareness
- Educate cloud infrastructure teams on the risks of guest-to-host escapes and the importance of rapid hypervisor patching.
MITRE ATT&CK Mapping
- T1068 - Exploitation for Privilege Escalation
- T1611 - Escape to Host
Additional IOCs
- Command Lines:
- Purpose: Host command string executed by the exploit payload to demonstrate successful host code execution. | Tools:
touch| Stage: Execution |/bin/touch /ITScape
- Purpose: Host command string executed by the exploit payload to demonstrate successful host code execution. | Tools: