PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23269 Linux CVE debrief

A slab-out-of-bounds read vulnerability exists in the Linux kernel's AppArmor security module. During policy unpacking, the `unpack_pdb()` function reads DFA (Deterministic Finite Automaton) start states from untrusted policy data and uses them as indexes into DFA state tables without validation. When `aa_dfa_next()` is subsequently called, it accesses `dfa->tables[YYTD_ID_BASE][start]`, which can result in an out-of-bounds read if the start state exceeds the actual number of states in the DFA. The fix adds validation to reject policies with out-of-bounds start states during the unpacking process. This vulnerability was disclosed in March 2026 and affects a wide range of Linux kernel versions from 3.4 through multiple stable branches.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-05-29
Advisory published
2026-03-18
Advisory updated
2026-05-29

Who should care

Linux system administrators, kernel maintainers, security teams managing AppArmor deployments, and organizations running container or host workloads with AppArmor mandatory access controls enabled. The local attack vector requires an attacker to load a crafted AppArmor policy, which typically requires CAP_MAC_ADMIN or equivalent privileges, limiting exposure to compromised privileged contexts or misconfigured systems.

Technical summary

The vulnerability is an out-of-bounds read (CWE-125) in the Linux kernel's AppArmor module, specifically in the `unpack_pdb()` function during policy unpacking. DFA start states are read from untrusted policy data and used as array indexes without bounds checking. The `aa_dfa_next()` function then dereferences `dfa->tables[YYTD_ID_BASE][start]`, causing a slab-out-of-bounds read when start exceeds the DFA state count. KASAN detects this as a 4-byte read beyond allocated slab memory. The fix validates start states against the DFA state count during unpacking, rejecting malformed policies before they can trigger the out-of-bounds access.

Defensive priority

high

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your branch: 5.10.253, 5.15.203, 6.1.169, 6.6.130, 6.12.77, 6.18.18, 6.19.8, or later stable versions
  • Upgrade to Linux kernel 6.19.8 or later, or apply the relevant stable branch patch
  • If running pre-release kernels, update to 7.0-rc4 or later when available
  • Validate that AppArmor policy loading is restricted to trusted administrative contexts
  • Monitor for KASAN slab-out-of-bounds reports mentioning aa_dfa_next or unpack_pdb as potential exploitation indicators
  • Review Qualys advisory for additional technical context on AppArmor policy parsing weaknesses

Evidence notes

CVE published 2026-03-18; modified 2026-05-29. CVSS 3.1 score 7.1 (HIGH). CWE-125 (Out-of-bounds Read). Affects Linux kernel versions 3.4 through 6.19.8, including 7.0-rc1 through rc3. Multiple stable branch patches available. Third-party advisory from Qualys references 'crack-armor' research.

Official resources

2026-03-18