CVE-2026-47336 Canonical CVE debrief

Who should care

Organizations running Ubuntu systems with Linux 6.8 kernel and AppArmor enabled; security teams responsible for mandatory access control enforcement; compliance teams monitoring for LSM bypass vulnerabilities.

Technical summary

The vulnerability resides in Ubuntu's SAUCE (Ubuntu-specific) patches to Linux 6.8, specifically in the AppArmor security module's handling of AF_INET and AF_INET6 socket operations. An uninitialized variable in the socket mediation code path can lead to incorrect security decisions when AppArmor evaluates network socket access requests. Because AppArmor is a Linux Security Module (LSM) that provides mandatory access control, a flaw in its mediation logic could allow unintended network access that should be restricted by policy. The attack requires local unprivileged access to trigger the vulnerable code path. The integrity impact is rated Low as the flaw may cause incorrect policy enforcement rather than direct code execution or data disclosure.

Defensive priority

Low

Recommended defensive actions

• Review Ubuntu security notices for kernel updates addressing CVE-2026-47336
• Apply Ubuntu kernel security updates when available per standard patch management cycle
• Verify AppArmor profiles are correctly enforcing network socket restrictions on affected systems
• Monitor for anomalous network socket behavior that may indicate mediation bypass attempts

Evidence notes

NVD entry lists vulnerability status as 'Received'. Ubuntu kernel commit reference provided via [email protected]. CWE-457 (Use of Uninitialized Variable) assigned. CVSS vector confirms local attack scope with integrity impact only.

Official resources