CVE-2026-45848 Linux CVE debrief

Who should care

Linux system administrators running kernels with AppArmor enabled, particularly those hosting multi-tenant environments, containers, or systems with untrusted local users where kernel stability is critical.

Technical summary

The vulnerability exists in `aa_sock_file_perm()` in the Linux kernel's AppArmor LSM. During socket lifecycle operations, the function may encounter NULL `sock` or `sock->sk` pointers, leading to a NULL pointer dereference and kernel oops. This is particularly relevant for af_unix sockets during setup/teardown phases. The fix adds defensive NULL checks before dereferencing these pointers. Multiple stable kernel branches have received backports of this fix.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits for affected kernel versions
• Review AppArmor policies on systems where kernel updates cannot be immediately applied
• Monitor kernel logs for oops messages related to AppArmor socket operations
• Prioritize patching on systems with untrusted local users or container workloads using AppArmor confinement

Evidence notes

The vulnerability description indicates this is a NULL pointer dereference in AppArmor's socket permission handling. Multiple stable kernel commits are referenced, suggesting backports to various kernel versions. The fix addresses a gap where socket structures may be incompletely initialized or partially torn down during permission checks.

Official resources