{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23269", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-18T17:54:42.988Z", "dateUpdated": "2026-04-02T14:44:04.248Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-02T14:44:04.248Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: validate DFA start states are in bounds in unpack_pdb\n\nStart states are read from untrusted data and used as indexes into the\nDFA state tables. The aa_dfa_next() function call in unpack_pdb() will\naccess dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds\nthe number of states in the DFA, this results in an out-of-bound read.\n\n==================================================================\n BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360\n Read of size 4 at addr ffff88811956fb90 by task su/1097\n ...\n\nReject policies with out-of-bounds start states during unpacking\nto prevent the issue."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy_unpack.c"], "versions": [{"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "07cf6320f40ea2ccfad63728cff34ecb309d03da", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "0baadb0eece2c4d939db10d3c323b4652ac79a58", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "3bb7db43e32190c973d4019037cedb7895920184", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "9063d7e2615f4a7ab321de6b520e23d370e58816", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy_unpack.c"], "versions": [{"version": "3.4", "status": "affected"}, {"version": "0", "lessThan": "3.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.18", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.8", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.19.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "7.0-rc4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03da"}, {"url": "https://git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c"}, {"url": "https://git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58"}, {"url": "https://git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184"}, {"url": "https://git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816"}, {"url": "https://www.qualys.com/2026/03/10/crack-armor.txt"}], "title": "apparmor: validate DFA start states are in bounds in unpack_pdb", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: validate DFA start states are in bounds in unpack_pdb\n\nStart states are read from untrusted data and used as indexes into the\nDFA state tables. The aa_dfa_next() function call in unpack_pdb() will\naccess dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds\nthe number of states in the DFA, this results in an out-of-bound read.\n\n==================================================================\n BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360\n Read of size 4 at addr ffff88811956fb90 by task su/1097\n ...\n\nReject policies with out-of-bounds start states during unpacking\nto prevent the issue."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\napparmor: validar que los estados iniciales de DFA est\u00e1n dentro de los l\u00edmites en unpack_pdb\n\nLos estados iniciales se leen de datos no confiables y se usan como \u00edndices en las tablas de estados de DFA. La llamada a la funci\u00f3n aa_dfa_next() en unpack_pdb() acceder\u00e1 a dfa->tables[YYTD_ID_BASE][start], y si el estado inicial excede el n\u00famero de estados en el DFA, esto resulta en una lectura fuera de l\u00edmites.\n\n==================================================================\nERROR: KASAN: slab-out-of-bounds en aa_dfa_next+0x2a1/0x360\nLectura de tama\u00f1o 4 en la direcci\u00f3n ffff88811956fb90 por la tarea su/1097\n...\n\nRechazar pol\u00edticas con estados iniciales fuera de l\u00edmites durante el desempaquetado para prevenir el problema."}], "id": "CVE-2026-23269", "lastModified": "2026-04-02T15:16:27.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-18T18:16:25.907", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03da"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://www.qualys.com/2026/03/10/crack-armor.txt"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: apparmor: validate DFA start states are in bounds in unpack_pdb", "id": "2448753", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448753"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23269", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23269\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23269\nhttps://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23269-2bf7@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad5ff3db53c68c2f12936bc74ea5dfe0af943592,15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad5ff3db53c68c2f12936bc74ea5dfe0af943592,0baadb0eece2c4d939db10d3c323b4652ac79a58)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad5ff3db53c68c2f12936bc74ea5dfe0af943592,3bb7db43e32190c973d4019037cedb7895920184)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad5ff3db53c68c2f12936bc74ea5dfe0af943592,9063d7e2615f4a7ab321de6b520e23d370e58816)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.18,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.8,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc4,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-27T11:50:39.420961+00:00", "value": {"mitigation_remediation": ["Update the system to a kernel version that contains the AppArmor DFA start\u2011state bounds\u2011check patch.", "If an immediate kernel upgrade is not feasible, restrict the sources of AppArmor profiles to trusted, signed files only, and validate profile integrity before loading.", "Optionally disable AppArmor services on systems where AppArmor is not required to eliminate the attack surface."], "summary": {"action": "Patch promptly", "impact": "Out-of-bounds read in the AppArmor kernel module may expose kernel memory contents"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases shipping the unpatched AppArmor implementation are affected, regardless of vendor. Since the vulnerability is present in the core AppArmor code under the Linux kernel, any distribution that includes the default kernel build for AppArmor without the patch is vulnerable.", "description_and_impact": "The flaw in AppArmor occurs when the kernel reads start states from untrusted profile data and uses them as indices into DFA state tables without validating that they lie within the number of available states. If an attacker provides a start state that is beyond the bounds, the kernel will read memory beyond the table, resulting in an out-of-bounds memory read. This can leak kernel memory contents, which could aid in privilege escalation or further attacks. No arbitrary code execution is performed by the kernel itself, but the leakage of confidential data is a significant risk.", "risk_and_exploitability": "The EPSS score is below 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of known exploitation. The attack vector is inferred to require an attacker who can supply malicious or malformed AppArmor profile data to the kernel, typically a local or privilege\u2011escalation scenario. Because the flaw involves reading kernel memory, an exploit would likely leverage local execution privileges to trigger the vulnerability."}}}}, "created": "2026-03-19T08:55:49.552907+00:00", "updated": "2026-03-27T15:48:15.180354+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-129"]}