CVE-2026-23407PATCHED

Linux kernel · apparmor

apparmor: fix missing bounds check on DEFAULT table in verify_dfa()

Description

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix missing bounds check on DEFAULT table in verify_dfa() The verify_dfa() function only checks DEFAULT_TABLE bounds when the state is not differentially encoded. When the verification loop traverses the differential encoding chain, it reads k = DEFAULT_TABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count, therefore, causes both out-of-bounds reads and writes. [ 57.179855] ================================================================== [ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660 [ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993 [ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 57.181563] Call Trace: [ 57.181572] <TASK> [ 57.181577] dump_stack_lvl+0x5e/0x80 [ 57.181596] print_report+0xc8/0x270 [ 57.181605] ? verify_dfa+0x59a/0x660 [ 57.181608] kasan_report+0x118/0x150 [ 57.181620] ? verify_dfa+0x59a/0x660 [ 57.181623] verify_dfa+0x59a/0x660 [ 57.181627] aa_dfa_unpack+0x1610/0x1740 [ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470 [ 57.181640] unpack_pdb+0x86d/0x46b0 [ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181656] ? aa_unpack_nameX+0x1a8/0x300 [ 57.181659] aa_unpack+0x20b0/0x4c30 [ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181664] ? stack_depot_save_flags+0x33/0x700 [ 57.181681] ? kasan_save_track+0x4f/0x80 [ 57.181683] ? kasan_save_track+0x3e/0x80 [ 57.181686] ? __kasan_kmalloc+0x93/0xb0 [ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130 [ 57.181697] ? policy_update+0x154/0x330 [ 57.181704] aa_replace_profiles+0x15a/0x1dd0 [ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181712] ? aa_loaddata_alloc+0x77/0x140 [ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181717] ? _copy_from_user+0x2a/0x70 [ 57.181730] policy_update+0x17a/0x330 [ 57.181733] profile_replace+0x153/0x1a0 [ 57.181735] ? rw_verify_area+0x93/0x2d0 [ 57.181740] vfs_write+0x235/0xab0 [ 57.181745] ksys_write+0xb0/0x170 [ 57.181748] do_syscall_64+0x8e/0x660 [ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 57.181765] RIP: 0033:0x7f6192792eb2 Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE entries unconditionally.

Affected Products

Vendor	Product	Versions
Linux kernel	apparmor	031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 4.17

References

Related News (1 articles)

Tier C

Linux Kernel CVEs6d ago

CVE-2026-23407: apparmor: fix missing bounds check on DEFAULT table in verify_dfa()

→ No new info (linked only)

CVSS 3.17.8 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

7c7cf05e0606f554c467e3a4dc49e2e578a755b476b4d36c5122866452d34d8f79985e191f9c38315a68e46dfe0c8c8ffc6f425ebc4cae6238566eccf39e126e56c6ec1930fae51ad6bca3dae2a4c3edd352873bbefa7eb39995239d0b44ccdf8aaa79a406.6.1306.12.776.18.186.19.87.0-rc4

PublishedApr 1, 2026

Last enriched5d agov2

Trending Score12

Source articles1

Independent1

Info Completeness6/14

Missing: cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-23398

In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_d

Trending: 40

HIGHCVE-2026-23408

apparmor: Fix double free of ns_name in aa_replace_profiles()

Trending: 12

HIGHCVE-2026-23410

apparmor: fix race on rawdata dereference

Trending: 12

NONECVE-2026-23396

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compar

Trending: 12

HIGHCVE-2026-23411

apparmor: fix race between freeing data and fs accessing it

Trending: 12

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Updated: vendor, product, affectedVersions

Apr 1, 2026

Patch Available

Apr 2, 2026

Version History

Last enriched 5d ago

v2Tier C5d ago

Added vendor and product information, updated affected versions, and marked the vulnerability as HIGH severity with exploit availability.

vendorproductaffectedVersions

via Linux Kernel CVEs

v16d ago

Initial creation

Description

Vendor

Product

Versions

Linux kernel

apparmor

031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 4.17