PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47329 Canonical CVE debrief

A validation flaw in Ubuntu's SAUCE patches for Linux kernel versions 6.8, 6.17, and 7.0 allows unprivileged local users to trigger improper handling of AppArmor notification responses. The vulnerability stems from insufficient validation of the name field size in these responses. The CVSS 3.1 score of 3.3 (Low severity) reflects the local attack vector and limited impact scope. The issue was disclosed on 2026-05-28 with NVD status 'Received'. A fix commit is available in the Ubuntu kernel repository.

Vendor
Canonical
Product
Ubuntu Linux
CVSS
LOW 3.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Ubuntu system administrators running kernel versions 6.8, 6.17, or 7.0 with AppArmor enabled; security teams monitoring local privilege escalation vectors in containerized or multi-user environments

Technical summary

The vulnerability exists in Ubuntu-specific SAUCE (Ubuntu Applied Changes) patches that modify AppArmor notification response handling. The name field in these responses lacks proper size validation, allowing crafted responses to trigger improper handling. An unprivileged local user can exploit this to potentially influence AppArmor security decisions. The attack requires local access with low privileges, no user interaction, and results in low integrity impact with no confidentiality or availability impact per CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Defensive priority

low

Recommended defensive actions

  • Review Ubuntu kernel SAUCE patch status for systems running Linux 6.8, 6.17, or 7.0
  • Apply Ubuntu kernel updates containing commit 9ea8b64b3ad27d0501cf711efa98077998a33b14 or later
  • Monitor AppArmor audit logs for anomalous notification patterns
  • Validate AppArmor profile enforcement remains functional after patching

Evidence notes

Vulnerability affects Ubuntu SAUCE patches specifically; upstream Linux kernels without these patches are not impacted. The fix commit demonstrates size validation was added to the AppArmor notification response handling code.

Official resources

2026-05-28