How to defend ARM64 cloud infrastructure

Description

ITScape (CVE-2026-46316) is a guest-to-host escape vulnerability in the vGIC-ITS emulation within KVM/arm64, disclosed by researcher Hyunwoo Kim. The flaw stems from a race condition in the vgic_its_invalidate_cache() function causing a double-put use-after-free, enabling host kernel code execution. Since the bug exists in in-kernel KVM rather than QEMU user-space, successful exploitation grants host kernel privileges, posing significant risk to multi-tenant ARM64 cloud environments. The vulnerability can be chained with local privilege escalation when guest root access is unavailable. Affected kernels range from commit 8201d1028caa through 13031fb6b835, when the patch was applied. Two YARA rules have been developed for detection: one targeting hardcoded constants from the proof-of-concept, another identifying behavioral patterns in privilege drop sequences.