CVE-2026-23406
Received Received - Intake
Out-of-Bounds Read in Linux AppArmor match_char() Macro

Publication date: 2026-04-01

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix side-effect bug in match_char() macro usage The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past the input buffer boundary. [ 94.984676] ================================================================== [ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760 [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976 [ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 94.986329] Call Trace: [ 94.986341] <TASK> [ 94.986347] dump_stack_lvl+0x5e/0x80 [ 94.986374] print_report+0xc8/0x270 [ 94.986384] ? aa_dfa_match+0x5ae/0x760 [ 94.986388] kasan_report+0x118/0x150 [ 94.986401] ? aa_dfa_match+0x5ae/0x760 [ 94.986405] aa_dfa_match+0x5ae/0x760 [ 94.986408] __aa_path_perm+0x131/0x400 [ 94.986418] aa_path_perm+0x219/0x2f0 [ 94.986424] apparmor_file_open+0x345/0x570 [ 94.986431] security_file_open+0x5c/0x140 [ 94.986442] do_dentry_open+0x2f6/0x1120 [ 94.986450] vfs_open+0x38/0x2b0 [ 94.986453] ? may_open+0x1e2/0x2b0 [ 94.986466] path_openat+0x231b/0x2b30 [ 94.986469] ? __x64_sys_openat+0xf8/0x130 [ 94.986477] do_file_open+0x19d/0x360 [ 94.986487] do_sys_openat2+0x98/0x100 [ 94.986491] __x64_sys_openat+0xf8/0x130 [ 94.986499] do_syscall_64+0x8e/0x660 [ 94.986515] ? count_memcg_events+0x15f/0x3c0 [ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986540] ? handle_mm_fault+0x1639/0x1ef0 [ 94.986551] ? vma_start_read+0xf0/0x320 [ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0 [ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0 [ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986588] ? irqentry_exit+0x3c/0x590 [ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 94.986597] RIP: 0033:0x7fda4a79c3ea Fix by extracting the character value before invoking match_char, ensuring single evaluation per outer loop.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-04-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23406
EUVD
EUVD-2026-17834
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.17
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.169 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.18 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.8 (exc)
linux linux_kernel From 4.17.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's AppArmor component, specifically in the usage of the match_char() macro. The macro evaluates its character parameter multiple times when processing differential encoding chains. When called with *str++, the string pointer advances on each iteration of the inner loop, causing the system to check different characters each time and skip some input characters.

As a result, the pointer can advance beyond the input buffer boundary, leading to out-of-bounds reads. This means the kernel may read memory it should not access, which can cause crashes or other unintended behavior.

The fix involved changing the code to extract the character value before calling match_char, ensuring the character is evaluated only once per loop iteration.


How can this vulnerability impact me? :

This vulnerability can lead to out-of-bounds memory reads in the Linux kernel's AppArmor security module. Such out-of-bounds reads may cause system instability, crashes, or potentially expose sensitive kernel memory contents.

While the description does not explicitly mention privilege escalation or code execution, out-of-bounds reads in kernel space can be a serious security risk, potentially allowing attackers to gain unauthorized information or cause denial of service.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as out-of-bounds reads in the Linux kernel's AppArmor module, which can be detected by observing kernel logs for specific error messages.

Look for kernel messages indicating KASAN slab-out-of-bounds errors related to aa_dfa_match, such as:

  • BUG: KASAN: slab-out-of-bounds in aa_dfa_match
  • Read of size 1 at addr ... by task file/...

You can check the kernel logs using commands like:

  • dmesg | grep -i 'KASAN: slab-out-of-bounds'
  • journalctl -k | grep -i 'aa_dfa_match'

Monitoring these logs can help detect if the vulnerability is being triggered on your system.


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to update the Linux kernel to a version where this vulnerability has been fixed.

The fix involves correcting the match_char() macro usage in the AppArmor module to prevent out-of-bounds reads.

Until the kernel is updated, consider monitoring kernel logs for signs of exploitation and limit exposure by restricting untrusted access to the system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability in the Linux kernel's apparmor component results in out-of-bounds reads, which can lead to potential unauthorized access or corruption of memory. Given its impact on confidentiality, integrity, and availability (all rated high in the CVSS score), it could pose risks to systems handling sensitive data.

Such risks may affect compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and data breaches.

However, the provided information does not explicitly state the direct impact on compliance or specific regulatory requirements.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart