CVE-2026-46113 is a use-after-free vulnerability in the Linux kernel's KVM x86 shadow paging/MMU logic. The flaw arises because KVM computes guest frame numbers (GFNs) for direct shadow pages using sp->gfn plus the SPTE index and assumes that an existing present SPTE corresponds to the correct GFN. Under shadow paging, that assumption can be invalid if guest page tables are modified between VM entries. A documented trigger sequence involves KVM creating a direct-mapped kvm_mmu_page for a 2MB PDE-backed mapping, the PDE mapping then being changed from outside the guest, and a later guest access causing KVM to install a leaf SPTE and reverse-mapping entry for a GFN outside the original [sp->gfn, sp->gfn + 511] range. When the associated memslot is later deleted and the kvm_mmu_page is zapped, rmap_remove() searches only the original range and fails to remove the stale rmap entry. Subsequent rmap walks can then follow the stale entry and dereference a freed kvm_mmu_page. The upstream fix resolves this by detecting target GFN mismatches and zapping the existing SPTE before installing the new mapping, removing stale shadow pages and rmap entries first.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A separate KVM x86 shadow paging use-after-free vulnerability mentioned as related background, distinct from Januscape.
A Linux kernel KVM x86 shadow paging use-after-free vulnerability caused by unexpected guest frame number (GFN) mismatches that can leave stale rmap entries and lead to dereferencing a freed kvm_mmu_page.
A related earlier KVM x86 shadow paging use-after-free vulnerability involving unexpected GFN handling; its fix addressed the leaf case but did not cover the non-leaf variant later tracked as CVE-2026-53359.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.