VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46171

CVE-2026-46171

Description

In the Linux kernel, the following vulnerability has been resolved:

riscv: kvm: fix vector context allocation leak

When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, a memory leak in RISC-V KVM's vector context allocation when the second kzalloc fails is fixed by freeing the first allocation.

Vulnerability

A memory leak exists in the RISC-V KVM subsystem of the Linux kernel, specifically in the function kvm_riscv_vcpu_alloc_vector_context. When the first kzalloc call for guest_context.vector.datap succeeds but the second kzalloc for host_context.vector.datap fails, the previously allocated memory is not freed, leading to a leak. This issue affects kernel versions before the fix commit b7c958d7c1eb1cb9b2be7b5ee4129fcd66cec978. The vulnerability is exposed when KVM is used with RISC-V guests that have vector extension support enabled, triggering the allocation path.

Exploitation

An attacker would need to be able to create a RISC-V KVM guest with vector extension capabilities on a host running an affected kernel. The exploitation requires the ability to trigger the allocation failure for the second kzalloc, which might be achieved by exhausting memory or other resource constraints during VM creation. The sequence involves calling the flawed function, which if the second allocation fails, leaves the first allocation unfreed. This depends on system memory pressure and the triggering of the error path.

Impact

The vulnerability results in a memory leak of the guest_context.vector.datap allocation (a single pointer-sized allocation per occurrence). Over repeated VM creation attempts that trigger the failure condition, this could lead to gradual depletion of system memory, potentially causing denial of service (DoS). No privilege escalation or information disclosure is expected from this leak alone.

Mitigation

The fix has been applied in the Linux kernel stable tree as commit b7c958d7c1eb1cb9b2be7b5ee4129fcd66cec978 [1]. Users should update to a kernel version containing this commit. For distributions that backport security fixes, update to the latest stable release. There is no known workaround other than avoiding the triggering conditions (e.g., not using KVM with RISC-V vector guests), which may not be feasible. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

6
b7c958d7c1eb

riscv: kvm: fix vector context allocation leak

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitOsama AbdelkaderMar 16, 2026Fixed in 7.1-rc1via kernel-cna
commit
2 files changed · +8 4
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
bd62c0f61bc7

riscv: kvm: fix vector context allocation leak

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitOsama AbdelkaderMar 16, 2026Fixed in 6.18.30via kernel-cna
commit
2 files changed · +8 4
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
1d57ab45ec5c

riscv: kvm: fix vector context allocation leak

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitOsama AbdelkaderMar 16, 2026Fixed in 7.0.7via kernel-cna
commit
2 files changed · +8 4
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
1d57ab45ec5c

riscv: kvm: fix vector context allocation leak

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitOsama AbdelkaderMar 16, 2026via nvd-ref
commit
2 files changed · +8 4
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
b7c958d7c1eb

riscv: kvm: fix vector context allocation leak

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitOsama AbdelkaderMar 16, 2026via nvd-ref
commit
2 files changed · +8 4
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
bd62c0f61bc7

riscv: kvm: fix vector context allocation leak

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitOsama AbdelkaderMar 16, 2026via nvd-ref
commit
2 files changed · +8 4
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg
  • arch/riscv/kvm/vcpu_vector.c+4 2 modified
    diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index 05f3cc2d8e311a..5b6ad82d47beb7 100644
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -80,8 +80,11 @@ int kvm_riscv_vcpu_alloc_vector_context(struct kvm_vcpu *vcpu)
 		return -ENOMEM;
 
 	vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL);
-	if (!vcpu->arch.host_context.vector.datap)
+	if (!vcpu->arch.host_context.vector.datap) {
+		kfree(vcpu->arch.guest_context.vector.datap);
+		vcpu->arch.guest_context.vector.datap = NULL;
 		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing error-path cleanup in kvm_riscv_vcpu_alloc_vector_context: when the second kzalloc (host_context.vector.datap) fails, the previously allocated guest_context.vector.datap is not freed, causing a memory leak."

Attack vector

An attacker with the ability to create a KVM virtual machine on a RISC-V host that supports the vector extension can trigger this bug. When the kernel attempts to allocate vector context for a vCPU, if the second memory allocation (host_context.vector.datap) fails due to memory pressure, the first allocation (guest_context.vector.datap) is leaked. Repeated exploitation can exhaust kernel memory, leading to denial of service.

Affected code

The vulnerable function is kvm_riscv_vcpu_alloc_vector_context in arch/riscv/kvm/vcpu_vector.c [patch_id=2898083]. The function performs two kzalloc calls for guest_context.vector.datap and host_context.vector.datap, but the error path for the second allocation failure did not free the first allocation.

What the fix does

The patch adds a kfree(vcpu->arch.guest_context.vector.datap) and sets the pointer to NULL before returning -ENOMEM when the second kzalloc fails [patch_id=2898083]. This ensures the first allocation is properly freed on the error path, preventing the memory leak. The pointer is also set to NULL to avoid use-after-free if the freed pointer is later accessed.

Preconditions

  • configThe host must be running a RISC-V Linux kernel with KVM and the vector extension support enabled.
  • authAn attacker must have the ability to create KVM virtual machines (requires appropriate privileges such as CAP_SYS_ADMIN or access to /dev/kvm).
  • inputThe system must be under memory pressure such that the second kzalloc (GFP_KERNEL) can fail.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.