CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23411 – apparmor: fix race between freeing data and fs accessing it
https://notcve.org/view.php?id=CVE-2026-23411
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/... • https://git.kernel.org/stable/c/c961ee5f21b202dea60b63eeef945730d92e46a6 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23410 – apparmor: fix race on rawdata dereference
https://notcve.org/view.php?id=CVE-2026-23410
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling poi... • https://git.kernel.org/stable/c/5d5182cae40115c03933989473288e54afb39c7c •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23409 – apparmor: fix differential encoding verification
https://notcve.org/view.php?id=CVE-2026-23409
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix differential encoding verification Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being ver... • https://git.kernel.org/stable/c/031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23407 – apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
https://notcve.org/view.php?id=CVE-2026-23407
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix missing bounds check on DEFAULT table in verify_dfa() The verify_dfa() function only checks DEFAULT_TABLE bounds when the state is not differentially encoded. When the verification loop traverses the differential encoding chain, it reads k = DEFAULT_TABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count, therefore, causes both out-of-bounds reads and writes. [ 57.179855] ... • https://git.kernel.org/stable/c/031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23406 – apparmor: fix side-effect bug in match_char() macro usage
https://notcve.org/view.php?id=CVE-2026-23406
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix side-effect bug in match_char() macro usage The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past ... • https://git.kernel.org/stable/c/074c1cd798cb0b481d7eaa749b64aa416563c053 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23405 – apparmor: fix: limit the number of levels of policy namespaces
https://notcve.org/view.php?id=CVE-2026-23405
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix: limit the number of levels of policy namespaces Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces. • https://git.kernel.org/stable/c/c88d4c7b049e87998ac0a9f455aa545cc895ef92 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23404 – apparmor: replace recursive profile removal with iterative approach
https://notcve.org/view.php?id=CVE-2026-23404
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: replace recursive profile removal with iterative approach The profile removal code uses recursion when removing nested profiles, which can lead to kernel stack exhaustion and system crashes. Reproducer: $ pf='a'; for ((i=0; i<1024; i++)); do echo -e "profile $pf { \n }" | apparmor_parser -K -a; pf="$pf//x"; done $ echo -n a > /sys/kernel/security/apparmor/.remove Replace the recursive __aa_profile_list_release() approach with an i... • https://git.kernel.org/stable/c/c88d4c7b049e87998ac0a9f455aa545cc895ef92 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23403 – apparmor: fix memory leak in verify_header
https://notcve.org/view.php?id=CVE-2026-23403
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix memory leak in verify_header The function sets `*ns = NULL` on every call, leaking the namespace string allocated in previous iterations when multiple profiles are unpacked. This also breaks namespace consistency checking since *ns is always NULL when the comparison is made. Remove the incorrect assignment. The caller (aa_unpack) initializes *ns to NULL once before the loop, which is sufficient. • https://git.kernel.org/stable/c/dd51c84857630e77c139afe4d9bba65fc051dc3f •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23398 – icmp: fix NULL pointer dereference in icmp_tag_validation()
https://notcve.org/view.php?id=CVE-2026-23398
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing a... • https://git.kernel.org/stable/c/8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23397 – nfnetlink_osf: validate individual option lengths in fingerprints
https://notcve.org/view.php?id=CVE-2026-23397
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000... • https://git.kernel.org/stable/c/11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 •