CVE-2026-23404
Stack Exhaustion in Linux AppArmor Due to Recursive Profile Removal
Publication date: 2026-04-01
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 2.6.36 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.77 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.169 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.18 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.8 (exc) |
| linux | linux_kernel | From 2.6.36.1 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's AppArmor security module. The issue arises from the way AppArmor removes nested security profiles using a recursive method. When many nested profiles are removed recursively, it can exhaust the kernel stack, leading to system crashes.
The vulnerability was addressed by replacing the recursive profile removal function with an iterative approach. This new method removes profiles repeatedly in a loop until all nested profiles are removed, preventing stack exhaustion while maintaining the same removal behavior.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash due to stack exhaustion when removing deeply nested AppArmor profiles. Such crashes can lead to system instability, downtime, and potential loss of availability for services running on the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to the AppArmor profile removal process in the Linux kernel, which uses recursion and can lead to kernel stack exhaustion and system crashes.
A reproducer command sequence is provided to trigger the issue by creating nested profiles and then attempting to remove them:
- $ pf='a'; for ((i=0; i<1024; i++)); do echo -e "profile $pf { \n }" | apparmor_parser -K -a; pf="$pf//x"; done
- $ echo -n a > /sys/kernel/security/apparmor/.remove
Running these commands can help detect if the system is vulnerable by causing the kernel stack exhaustion and potential crash.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved by replacing the recursive profile removal approach with an iterative one in the Linux kernel.
Immediate mitigation steps include updating the Linux kernel to a version that contains this fix, which replaces the recursive __aa_profile_list_release() function with an iterative __remove_profile() function.
Until the update is applied, avoid creating deeply nested AppArmor profiles that could trigger the recursive removal and cause kernel stack exhaustion.