CVE-2026-23409EXPLOITEDPATCHED

Linux · Linux

apparmor: fix differential encoding verification

Description

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix differential encoding verification Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being verified are treated as a chain that has already been verified. 2. the order bailout on already checked states compared current chain check iterators j,k instead of using the outer loop iterator i. Meaning a step backwards in states in the current chain verification was being mistaken for moving to an already verified state. Move to a double mark scheme where already verified states get a different mark, than the current chain being kept. This enables us to also drop the backwards verification check that was the cause of the second error as any already verified state is already marked.

Affected Products

Vendor	Product	Versions
Linux	Linux	031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3, 4.17, 6.6.129, 6.12.76, 6.18.17, 6.19.7, 7.0-rc3

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
linux	linux	mitre_affected	90%

References

Related News (2 articles)

Tier C

VulDB3h ago

CVE-2026-23409 | Linux Kernel up to 6.6.129/6.12.76/6.18.17/6.19.7/7.0-rc3 apparmor encoding error

→ No new info (linked only)

Tier C

Linux Kernel CVEs4h ago

CVE-2026-23409: apparmor: fix differential encoding verification

→ No new info (linked only)

CVSS 3.17.5 CRITICAL

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

f90e3ecd9e1ed69f1a370f866ceed1f104f3ab4a34fc60b125ed1d4eb002c76b0664bf0619492167623a9d211bbbb031bb1cbdb38b23487648167f8a1ff4857fac56ac5a90ee63b24db05fa5e91a45aa39440b137546a3aa383cfdabc605fb73811b609306.6.1306.12.776.18.186.19.87.0-rc4

PublishedApr 1, 2026

Last enriched2h agov3

Trending Score61

Source articles2

Independent2

Info Completeness8/14

Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-23406EXP

apparmor: fix side-effect bug in match_char() macro usage

Trending: 64

HIGHCVE-2026-23269EXP

In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into

Trending: 62

CRITICALCVE-2026-23400EXP

rust_binder: call set_notification_done() without proc lock

Trending: 46

CRITICALCVE-2026-23399EXP

nf_tables: nft_dynset: fix possible stateful expression memleak in error path

Trending: 44

CRITICALCVE-2026-23408

apparmor: Fix double free of ns_name in aa_replace_profiles()

Trending: 41

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Updated: affectedVersions, cvssEstimate, cweIds

Apr 1, 2026

Actively Exploited

Apr 1, 2026

Patch Available

Apr 1, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 1, 2026

Version History

Last enriched 2h ago

v3Tier C2h ago

Updated affected versions, changed severity to CRITICAL, and noted that no exploit is available.

affectedVersionsseverityactivelyExploited

via VulDB

v2Tier C4h ago

Updated description with detailed technical information, added affected version 4.17, changed severity to HIGH, updated CVSS estimate to 7.5, added CWE-20, and marked exploit availability and active exploitation as true.

affectedVersionscvssEstimatecweIds

via Linux Kernel CVEs

v14h ago

Initial creation