HIGH
apparmor DFA OOB
CVE-2026-23269
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI2.2LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue.
02KernelScan AI Analysis
Risk summary
Administrative users with CAP_MAC_ADMIN can trigger an out-of-bounds read in the AppArmor policy loader by supplying a malicious policy file with an invalid DFA start state. This results in limited kernel information disclosure (a 4-byte slab out-of-bounds read) during policy unpacking.
Vulnerability analysis
The vulnerability exists in AppArmor's policy unpacking code where DFA start states read from untrusted policy data are used as array indices without bounds validation. In unpack_pdb(), aa_dfa_next() accesses dfa->tables[YYTD_ID_BASE][start], and when start exceeds the number of states in the DFA, it causes a slab out-of-bounds read of 4 bytes. The fix validates start states against the DFA state count before use. Exploitation requires CAP_MAC_ADMIN to load AppArmor policies, a capability that is not available within unprivileged user namespaces.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | f43eea8ae010 |
| 5.15 | 5.15.203 | 5487871b2b56 |
| 6.1 | 6.1.169 | 5443c027ec16 |
| 6.12 | 6.12.77 | 15c3eb8916e7 |
| 6.18 | 6.18.18 | 0baadb0eece2 |
| 6.19 | 6.19.8 | 3bb7db43e321 |
| 6.6 | 6.6.130 | 07cf6320f40e |
| mainline | 7.0 | 9063d7e2615f |