CVE-2026-45884
Analyzed Analyzed - Analysis Complete

Kernel Memory Leak in Linux AppArmor

Vulnerability report for CVE-2026-45884, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-25

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid per-cpu hold underflow in aa_get_buffer When aa_get_buffer() pulls from the per-cpu list it unconditionally decrements cache->hold. If hold reaches 0 while count is still non-zero, the unsigned decrement wraps to UINT_MAX. This keeps hold non-zero for a very long time, so aa_put_buffer() never returns buffers to the global list, which can starve other CPUs and force repeated kmalloc(aa_g_path_max) allocations. Guard the decrement so hold never underflows.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-25
Generated
2026-07-07
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.14 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.4 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's AppArmor component, specifically in the function aa_get_buffer(). When this function pulls from the per-CPU list, it unconditionally decrements a variable called cache->hold. If hold reaches zero while there are still buffers counted (count is non-zero), the decrement causes an unsigned integer underflow, wrapping hold to a very large value (UINT_MAX).

As a result, hold remains non-zero for a long time, preventing the function aa_put_buffer() from returning buffers to the global list. This can cause starvation of buffers for other CPUs and force repeated memory allocations (kmalloc) of a large size (aa_g_path_max). The fix involves guarding the decrement operation to prevent hold from underflowing.

Impact Analysis

This vulnerability can lead to resource starvation on CPUs other than the one affected. Because buffers are not returned to the global list, other CPUs may run out of available buffers, which forces the system to repeatedly allocate large amounts of memory dynamically.

This repeated allocation can degrade system performance and increase memory usage, potentially leading to instability or denial of service conditions under heavy load.

Mitigation Strategies

The vulnerability has been resolved by guarding the decrement operation in the Linux kernel's apparmor aa_get_buffer function to prevent underflow. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart