CVE-2026-47327 Canonical CVE debrief

Who should care

System administrators running Ubuntu Linux with kernels 6.8, 6.17, or 7.0; security teams monitoring kernel-level vulnerabilities; organizations relying on AppArmor for mandatory access control

Technical summary

The vulnerability resides in Ubuntu-specific SAUCE (Ubuntu-specific patches applied on top of upstream kernel) patches that modify AppArmor notification handling. A NULL pointer dereference can occur when processing AppArmor notifications, triggered by an unprivileged local user. This results in a kernel oops, causing denial of service through system instability or crash. The attack requires local access and low privileges but no user interaction. The confidentiality and integrity impacts are none; only availability is affected.

Defensive priority

low

Recommended defensive actions

• Review Ubuntu security notices for kernel updates addressing CVE-2026-47327
• Apply kernel patches when available through standard Ubuntu update channels
• Monitor systems for unexpected kernel oops messages in dmesg or system logs
• Consider restricting unprivileged user access where practical as a defense-in-depth measure
• Validate kernel version and presence of SAUCE patches in use

Evidence notes

The vulnerability description identifies specific Ubuntu kernel versions (6.8, 6.17, 7.0) containing SAUCE patches with the vulnerable AppArmor notification handling code. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) confirms local attack vector with low attack complexity, requiring low privileges and resulting in availability impact only. The weakness is classified as CWE-476 (NULL Pointer Dereference).

Official resources