Home

Description

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix missing bounds check on DEFAULT table in verify_dfa() The verify_dfa() function only checks DEFAULT_TABLE bounds when the state is not differentially encoded. When the verification loop traverses the differential encoding chain, it reads k = DEFAULT_TABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count, therefore, causes both out-of-bounds reads and writes. [ 57.179855] ================================================================== [ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660 [ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993 [ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 57.181563] Call Trace: [ 57.181572] <TASK> [ 57.181577] dump_stack_lvl+0x5e/0x80 [ 57.181596] print_report+0xc8/0x270 [ 57.181605] ? verify_dfa+0x59a/0x660 [ 57.181608] kasan_report+0x118/0x150 [ 57.181620] ? verify_dfa+0x59a/0x660 [ 57.181623] verify_dfa+0x59a/0x660 [ 57.181627] aa_dfa_unpack+0x1610/0x1740 [ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470 [ 57.181640] unpack_pdb+0x86d/0x46b0 [ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181656] ? aa_unpack_nameX+0x1a8/0x300 [ 57.181659] aa_unpack+0x20b0/0x4c30 [ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181664] ? stack_depot_save_flags+0x33/0x700 [ 57.181681] ? kasan_save_track+0x4f/0x80 [ 57.181683] ? kasan_save_track+0x3e/0x80 [ 57.181686] ? __kasan_kmalloc+0x93/0xb0 [ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130 [ 57.181697] ? policy_update+0x154/0x330 [ 57.181704] aa_replace_profiles+0x15a/0x1dd0 [ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181712] ? aa_loaddata_alloc+0x77/0x140 [ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181717] ? _copy_from_user+0x2a/0x70 [ 57.181730] policy_update+0x17a/0x330 [ 57.181733] profile_replace+0x153/0x1a0 [ 57.181735] ? rw_verify_area+0x93/0x2d0 [ 57.181740] vfs_write+0x235/0xab0 [ 57.181745] ksys_write+0xb0/0x170 [ 57.181748] do_syscall_64+0x8e/0x660 [ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 57.181765] RIP: 0033:0x7f6192792eb2 Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE entries unconditionally.

PUBLISHED Reserved 2026-01-13 | Published 2026-04-01 | Updated 2026-05-11 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 (git) before 555829fd91eaf0711e369b0a92aecb0f0aa3281f
affected

031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 (git) before a75e12ca90c9e70ba10fee1be2f63cdd63d91a7c
affected

031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 (git) before 22094c996968a7c5b59cd3fc9fcbdfdd46d02fec
affected

031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 (git) before 7c7cf05e0606f554c467e3a4dc49e2e578a755b4
affected

031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 (git) before 76b4d36c5122866452d34d8f79985e191f9c3831
affected

031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 (git) before 5a68e46dfe0c8c8ffc6f425ebc4cae6238566ecc
affected

031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 (git) before f39e126e56c6ec1930fae51ad6bca3dae2a4c3ed
affected

031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 (git) before d352873bbefa7eb39995239d0b44ccdf8aaa79a4
affected

Default status
affected

4.17
affected

Any version before 4.17
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.169 (semver)
unaffected

6.6.130 (semver)
unaffected

6.12.77 (semver)
unaffected

6.18.18 (semver)
unaffected

6.19.8 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/555829fd91eaf0711e369b0a92aecb0f0aa3281f

git.kernel.org/...c/a75e12ca90c9e70ba10fee1be2f63cdd63d91a7c

git.kernel.org/...c/22094c996968a7c5b59cd3fc9fcbdfdd46d02fec

git.kernel.org/...c/7c7cf05e0606f554c467e3a4dc49e2e578a755b4

git.kernel.org/...c/76b4d36c5122866452d34d8f79985e191f9c3831

git.kernel.org/...c/5a68e46dfe0c8c8ffc6f425ebc4cae6238566ecc

git.kernel.org/...c/f39e126e56c6ec1930fae51ad6bca3dae2a4c3ed

git.kernel.org/...c/d352873bbefa7eb39995239d0b44ccdf8aaa79a4

cve.org (CVE-2026-23407)

nvd.nist.gov (CVE-2026-23407)

Download JSON