PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45966 Linux CVE debrief

A NULL pointer dereference vulnerability exists in the Linux kernel's AppArmor security module, specifically within the `__unix_needs_revalidation()` function. The flaw was introduced in AppArmor 5.0.0 (kernel 6.17+) when this function was added without proper NULL pointer validation. When file descriptors are received via SCM_RIGHTS (socket control message rights), both the socket pointer and the socket's `sk` (sock) pointer can be NULL during socket setup or teardown phases. The vulnerable code dereferences `sock->sk->sk_family` without first verifying that neither `sock` nor `sock->sk` is NULL, leading to a kernel crash. The crash manifests as a NULL pointer dereference at address 0x0000000000000018 with the instruction pointer in `aa_file_perm()`. The call chain involves `apparmor_file_receive()` → `security_file_receive()` → `receive_fd()` → `scm_detach_fds()`. This is a local vulnerability that could potentially be triggered by unprivileged users passing file descriptors through UNIX domain sockets, causing denial of service through kernel panic. The fix adds explicit NULL checks for both `sock` and `sock->sk` before accessing `sk_family`.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators running kernel 6.17 or later with AppArmor enabled; security teams monitoring for local denial-of-service vectors; organizations using container or sandbox technologies relying on AppArmor for mandatory access control

Technical summary

The vulnerability exists in the `__unix_needs_revalidation()` function in the Linux kernel's AppArmor security module. When file descriptors are received via SCM_RIGHTS control messages, the function attempts to access `sock->sk->sk_family` without validating that `sock` and `sock->sk` are non-NULL. During socket setup or teardown, these pointers can be NULL, causing a kernel NULL pointer dereference. The crash occurs in `aa_file_perm()` with a faulting address of 0x0000000000000018. The vulnerability is a regression introduced in kernel 6.17+ (AppArmor 5.0.0). The fix adds NULL checks before dereferencing these pointers.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable tree commits addressing NULL pointer checks in `__unix_needs_revalidation()`
  • Upgrade to Linux kernel 6.17.1 or later, or applicable stable kernel series with the fix
  • If running kernel 6.17+ with AppArmor enabled, monitor for kernel panics related to `aa_file_perm` or `apparmor_file_receive`
  • Consider temporarily disabling AppArmor if immediate patching is not feasible and the denial-of-service risk is unacceptable (assess security posture impact)
  • Review systems using UNIX domain sockets with SCM_RIGHTS for file descriptor passing as potential trigger vectors
  • Audit kernel logs for NULL pointer dereference crashes at address 0x0000000000000018 with RIP in `aa_file_perm`

Evidence notes

Vulnerability description confirms NULL pointer dereference in `__unix_needs_revalidation()` function introduced in AppArmor 5.0.0 (kernel 6.17+). Crash trace shows `aa_file_perm()` as the faulting location with call chain through `apparmor_file_receive()`. Three kernel.org stable tree commits provided as references. CVE published 2026-05-27T14:17:13.460Z, modified 2026-05-27T14:48:03.013Z.

Official resources

2026-05-27