CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

A proof-of-concept (PoC) exploit has been released for a critical Linux kernel vulnerability, CVE-2026-46316, that enables a guest-to-host escape in KVM environments on arm64 systems. The flaw, named “ITScape,” allows attackers to break out of a virtual machine and execute arbitrary commands on the host with full kernel-level privileges. The vulnerability was discovered by security […] The post PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability appeared first on Cyber Secur

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Penetration testing services Security threat monitoring Ethical hacking courses HomeCyber Security News PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability By Abinaya June 11, 2026 A proof-of-concept (PoC) exploit has been released for a critical Linux kernel vulnerability, CVE-2026-46316, that enables a guest-to-host escape in KVM environments on arm64 systems. The flaw, named “ITScape,” allows attackers to break out of a virtual machine and execute arbitrary commands on the host with full kernel-level privileges. The vulnerability was discovered by security researcher Hyunwoo Kim (V4bel) and affects the in-kernel KVM implementation rather than user-space components like QEMU. This makes the issue particularly severe, as exploitation results in a direct compromise of the host kernel rather than a confined user-space process. ITScape is caused by a race condition in the vGIC-ITS (Interrupt Translation Service) emulation within KVM on arm64. By triggering specific interrupt-related operations from within a guest, an attacker can exploit a “double-put” condition that leads to memory corruption. This corruption can then be leveraged to achieve arbitrary code execution in the host kernel context. PoC Exploit Released for Linux kernel Vulnerability The released PoC demonstrates how the vulnerability can be triggered entirely from the guest VM without requiring any interaction from the host. In the test setup, the exploit uses KVM self-tests and runs within a QEMU TCG environment to emulate an ARM64 host. The guest code performs crafted GIC/ITS MMIO operations that trigger a flaw in KVM’s interrupt handling logic, ultimately leading to host-level code execution.  Successful exploitation is confirmed by creating a file named “/ITScape” on the host system with root ownership. Although the PoC is not fully weaponized for real-world attacks, it reliably demonstrates the complete exploit chain. Researcher Hyunwoo Kim (V4bel) noted on GitHub that attackers familiar with cloud infrastructure could adapt the technique by tuning memory offsets, timing conditions, and kernel-specific parameters, making real-world exploitation feasible. The vulnerability impacts Linux kernel versions from April 2024 (commit 8201d1028caa) through early June 2026, before the patch introduced in commit 13031fb6b835. Systems running these versions in ARM64 KVM environments are vulnerable, particularly those hosting untrusted or multi-tenant workloads. This issue is especially concerning for public cloud providers that use ARM64 infrastructure, where users typically have root access to their own virtual machines. In such scenarios, the vulnerability could allow an attacker to escape their VM, gain control of the host, and potentially compromise other tenants or workloads running on the same system. Importantly, the vulnerability does not affect x86 systems, as it is specific to the ARM64 KVM subsystem located in the Linux kernel’s virtualization code. Security teams are strongly advised to apply the available patch immediately and verify that their systems are no longer running vulnerable kernel versions. Additional precautions include monitoring unusual VM behavior, limiting exposure to untrusted guests, and staying alert for further research into similar KVM escape techniques. The release of a working PoC significantly increases the risk of exploitation, making timely patching and proactive monitoring essential for affected environments. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites Hackers Abuse VMware-Signed Binary to Sideload NIGHTFORGE Loader in Espionage Attacks Hackers Use Tax Phishing Emails to Deploy In-Memory Malware on Windows Systems Latest News Cyber Security GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan Cyber Security News Hackers Abuse VMware-Signed Binary to Sideload NIGHTFORGE Loader in Espionage Attacks Cyber Security News Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script Cyber Security News Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs Cyber Security News China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗