CVE-2026-45884
Awaiting Analysis Awaiting Analysis - Queue
Kernel Memory Leak in Linux AppArmor

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid per-cpu hold underflow in aa_get_buffer When aa_get_buffer() pulls from the per-cpu list it unconditionally decrements cache->hold. If hold reaches 0 while count is still non-zero, the unsigned decrement wraps to UINT_MAX. This keeps hold non-zero for a very long time, so aa_put_buffer() never returns buffers to the global list, which can starve other CPUs and force repeated kmalloc(aa_g_path_max) allocations. Guard the decrement so hold never underflows.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45884
EUVD
EUVD-2026-32350
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apparmor linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's AppArmor component, specifically in the function aa_get_buffer(). When this function pulls from the per-CPU list, it unconditionally decrements a variable called cache->hold. If hold reaches zero while there are still buffers counted (count is non-zero), the decrement causes an unsigned integer underflow, wrapping hold to a very large value (UINT_MAX).

As a result, hold remains non-zero for a long time, preventing the function aa_put_buffer() from returning buffers to the global list. This can cause starvation of buffers for other CPUs and force repeated memory allocations (kmalloc) of a large size (aa_g_path_max). The fix involves guarding the decrement operation to prevent hold from underflowing.

Impact Analysis

This vulnerability can lead to resource starvation on CPUs other than the one affected. Because buffers are not returned to the global list, other CPUs may run out of available buffers, which forces the system to repeatedly allocate large amounts of memory dynamically.

This repeated allocation can degrade system performance and increase memory usage, potentially leading to instability or denial of service conditions under heavy load.

Mitigation Strategies

The vulnerability has been resolved by guarding the decrement operation in the Linux kernel's apparmor aa_get_buffer function to prevent underflow. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart