CVE-2026-45965 Linux CVE debrief

Who should care

Linux system administrators running AppArmor, security teams managing mandatory access control policies, kernel maintainers, and organizations using AppArmor for container or system security isolation

Technical summary

The vulnerability exists in the AppArmor Linux security module's handling of profile rawdata symbolic links. When the export_binary parameter is disabled at runtime, previously loaded profiles retain their rawdata in apparmorfs with symbolic links pointing to it. Upon profile replacement, rawdata is set to NULL, but rawdata_get_link_base() attempts to access profile->rawdata->name without validation. The crash manifests as a NULL pointer dereference at offset 0x88 (likely the name field offset in the rawdata structure) during supervisor read access in kernel mode. The trigger path involves vfs_readlink() → rawdata_get_link_data() → rawdata_get_link_base(). The fix implements a NULL check for profile->rawdata before dereferencing. Multiple stable kernel commits indicate backporting across kernel versions.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor for kernel oops messages containing 'rawdata_get_link_base' in system logs
• Avoid disabling AppArmor's export_binary parameter at runtime if profiles were loaded with it enabled
• Review AppArmor profile replacement procedures to ensure they occur during maintenance windows
• Consider enabling kdump to capture crash details if this vulnerability is triggered

Evidence notes

The vulnerability description and kernel oops trace are sourced from the official CVE record published 2026-05-27. Multiple stable kernel commits are referenced indicating backports to various kernel versions. The crash occurs in rawdata_get_link_base.isra.0 with call trace through vfs_readlink and do_readlinkat, confirming the trigger path via readlink system call.

Official resources