HIGH
apparmor Policy Race
CVE-2026-23411
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/loaddata is the most likely candidate to fail the race, as it has the fewest references. If properly crafted it might be possible to trigger a race for the other types stored in i_private. Fix this by moving the put of i_private referenced data to the correct place which is during inode eviction.
02KernelScan AI Analysis
Risk summary
A local attacker with access to AppArmor policy files could potentially trigger a use-after-free condition by timing filesystem operations during policy updates. This could lead to kernel crashes or potentially code execution with kernel privileges.
Vulnerability analysis
Root Cause: AppArmor was releasing references to i_private data immediately after removing filesystem entries, but inodes can persist beyond that point. Filesystem callback functions could still be invoked after the reference was released, creating a race condition between data freeing and access.
Attack Surface: Local filesystem access to AppArmor policy files in apparmorfs. Requires ability to access /sys/kernel/security/apparmor/ or similar policy interface files. The race window exists during policy loading/unloading operations.
Fix Mechanism: The patch moves the reference release from the filesystem entry removal path to the inode eviction callback (aafs_evict). It introduces a common reference counting system with aa_common_ref structure and proper get/put functions. The fix ensures data remains valid as long as the inode exists.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | a92c5e5086a8 |
| 5.15 | 5.15.203 | 667df93769c0 |
| 6.1 | 6.1.169 | 3ddb961d2929 |
| 6.12 | 6.12.77 | eecce0263999 |
| 6.18 | 6.18.18 | 13bc2772414d |
| 6.19 | 6.19.8 | 2a732ed26fbd |
| 6.6 | 6.6.130 | ae10787d955f |
| mainline | 7.0 | 8e135b8aee5a |