CVE-2026-23405
Resource Exhaustion via Unbounded AppArmor Policy Namespace Nesting
Publication date: 2026-04-01
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 2.6.36 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.77 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.169 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.18 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.8 (exc) |
| linux | linux_kernel | From 2.6.36.1 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to resource exhaustion on the affected system. By creating and nesting policy namespaces without limit, an attacker can consume excessive system resources, which may degrade system performance or cause denial of service conditions.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's AppArmor component, where the number of policy namespaces is not properly limited. Although policy namespaces are intended to be limited by the user namespace limit, they are not strictly tied to user namespaces and can be created and nested arbitrarily deep. This lack of bounding allows an attacker to create many nested policy namespaces, potentially exhausting system resources.