CVE-2026-45884 Linux CVE debrief

Who should care

Linux system administrators running kernels with AppArmor enabled, particularly those with high-frequency path lookups or constrained memory environments; security teams monitoring for kernel-level denial-of-service conditions; distribution maintainers responsible for kernel stable backports

Technical summary

The vulnerability is located in security/apparmor/path.c in the aa_get_buffer() function. The per-CPU buffer cache uses two counters: 'count' tracking allocated buffers and 'hold' tracking references. When aa_get_buffer() retrieves a buffer from the per-CPU list, it unconditionally decrements cache->hold. If hold reaches 0 while count > 0, the unsigned 32-bit decrement wraps to UINT_MAX. This artificially inflated hold value prevents aa_put_buffer() from returning buffers to the global free list, causing per-CPU cache starvation. The fix adds a conditional check to only decrement hold when it is greater than zero, preventing the underflow condition.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor for kernel memory pressure indicators if running affected kernels with heavy AppArmor policy enforcement
• Consider temporary mitigation via AppArmor policy tuning to reduce path lookup frequency if memory pressure is observed
• Verify buffer cache behavior through /sys/kernel/security/apparmor/debug interfaces if available

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-27. The fix involves guarding a decrement operation on cache->hold in aa_get_buffer() to prevent unsigned integer wraparound when hold reaches zero while count remains non-zero. Multiple stable kernel commits are referenced, indicating backports to maintained kernel branches.

Official resources