PatchSiren cyber security CVE debrief

CVE-2026-46055 Linux CVE debrief

A slab-out-of-bounds read vulnerability exists in the Linux kernel's AppArmor security module, specifically within the DFA (Deterministic Finite Automaton) matching logic used for mount path validation. The issue stems from a missing string termination check in `aa_dfa_match()` at `security/apparmor/match.c:535`, triggered when processing mount operations via `aa_bind_mount()`. The KASAN report indicates a read of 1 byte beyond an 8192-byte kmalloc buffer allocated in `aa_get_buffer()`, occurring during `snap-update-ns` execution on ARM64 (Qualcomm Snapdragon X1). The vulnerability is reproducible on Linux 7.0-rc4 with Ubuntu 26.04. The fix involves ensuring proper string termination before DFA matching to prevent out-of-bounds access.

Vendor: Linux
Product: Unknown
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Linux kernel maintainers, Ubuntu/Debian security teams, ARM64 server administrators, organizations using AppArmor for mandatory access control, snapd deployment operators, and security teams monitoring kernel memory safety issues

Technical summary

The vulnerability is a slab-out-of-bounds read in the Linux kernel's AppArmor security module, occurring in `aa_dfa_match()` at `security/apparmor/match.c:535`. The root cause is a missing string termination check when matching mount paths against AppArmor policy rules. The DFA matching logic reads beyond allocated buffer boundaries when processing strings that lack proper null termination. The issue manifests during `snap-update-ns` operations on ARM64 systems, with KASAN detecting a 1-byte read past an 8192-byte kmalloc-rnd-06-8k cache object. The vulnerability is triggered through the mount system call path: `__arm64_sys_mount` → `path_mount` → `security_sb_mount` → `apparmor_sb_mount` → `aa_bind_mount` → `match_mnt` → `match_mnt_path_str` → `aa_dfa_match`. The fix ensures proper string termination before invoking DFA matching operations.

Defensive priority

high

Recommended defensive actions

Apply kernel patches from stable branches once available; monitor git.kernel.org stable commits for backports
Enable KASAN in test environments to detect similar memory safety issues in AppArmor policy enforcement
Review AppArmor mount mediation policies for systems processing untrusted mount requests
Prioritize patching on ARM64 systems running Ubuntu 26.04 or Linux 7.0-rc4 with snapd/AppArmor enabled
Validate kernel builds include the termination fix in aa_dfa_match before production deployment

Evidence notes

KASAN slab-out-of-bounds report confirms 1-byte read past 8192-byte buffer boundary at ffff0008901cc000. Call trace shows vulnerability path: `aa_bind_mount` → `match_mnt` → `match_mnt_path_str` → `aa_dfa_match`. Buffer allocated via `aa_get_buffer()` in `security/apparmor/lsm.c:2201`. Affects ARM64 platform specifically noted in reproduction environment.

Official resources

CVE-2026-46055 CVE record
CVE.org
CVE-2026-46055 NVD detail
NVD
Source item URL
nvd_modified
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67

2026-05-27