HIGH Published 2026-04-01

apparmor Policy Double-Free

CVE-2026-23408

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix double free of ns_name in aa_replace_profiles() if ns_name is NULL after 1071 error = aa_unpack(udata, &lh, &ns_name); and if ent->ns_name contains an ns_name in 1089 } else if (ent->ns_name) { then ns_name is assigned the ent->ns_name 1095 ns_name = ent->ns_name; however ent->ns_name is freed at 1262 aa_load_ent_free(ent); and then again when freeing ns_name at 1270 kfree(ns_name); Fix this by NULLing out ent->ns_name after it is transferred to ns_name ")

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

This vulnerability allows local attackers with policy loading privileges to cause kernel memory corruption through a double-free condition. While exploitation requires elevated privileges, successful attacks could lead to denial of service, privilege escalation, or arbitrary code execution in kernel space.

Affectedsecurity/apparmor/policy.c

Vulnerability analysis

Summary: Double-free vulnerability in AppArmor policy loading due to improper pointer ownership transfer

Root Cause: In aa_replace_profiles(), when ns_name is NULL after unpacking and ent->ns_name contains a valid namespace name, the code assigns ns_name = ent->ns_name without clearing ent->ns_name. This creates two pointers to the same memory location. Later, both aa_load_ent_free(ent) and kfree(ns_name) attempt to free the same memory, causing a double-free condition.

Attack Surface: Local attack surface requiring the ability to load AppArmor policies. Attackers need sufficient privileges to interact with the AppArmor policy loading interface, typically requiring root access or specific capabilities.

Fix Mechanism: The patch adds 'ent->ns_name = NULL;' immediately after the assignment 'ns_name = ent->ns_name;' to transfer ownership of the pointer and prevent the double-free. This ensures only one code path will free the memory.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`c6347a2116ec`
5.15	5.15.203	`c053ae381ce2`
6.1	6.1.169	`35f4caec1352`
6.12	6.12.77	`86feeccd6b93`
6.18	6.18.18	`7998ab3010d2`
6.19	6.19.8	`18b5233e860c`
6.6	6.6.130	`55ef2af7490a`
mainline	7.0	`5df0c44e8f5f`