Home

CVE-2026-23407

Description

In the Linux kernel, the following vulnerability has been resolved:apparmor: fix missing bounds check on DEFAULT table in verify_dfa()The verify_dfa() function only checks DEFAULT_TABLE bounds when the stateis not differentially encoded.When the verification loop traverses the differential encoding chain,it reads k = DEFAULT_TABLE[j] and uses k as an array index withoutvalidation. A malformed DFA with DEFAULT_TABLE[j] >= state_count,therefore, causes both out-of-bounds reads and writes.[ 57.179855] ==================================================================[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[ 57.181563] Call Trace:[ 57.181572] [ 57.181577] dump_stack_lvl+0x5e/0x80[ 57.181596] print_report+0xc8/0x270[ 57.181605] verify_dfa+0x59a/0x660[ 57.181608] kasan_report+0x118/0x150[ 57.181620] verify_dfa+0x59a/0x660[ 57.181623] verify_dfa+0x59a/0x660[ 57.181627] aa_dfa_unpack+0x1610/0x1740[ 57.181629] __kmalloc_cache_noprof+0x1d0/0x470[ 57.181640] unpack_pdb+0x86d/0x46b0[ 57.181647] srso_alias_return_thunk+0x5/0xfbef5[ 57.181653] srso_alias_return_thunk+0x5/0xfbef5[ 57.181656] aa_unpack_nameX+0x1a8/0x300[ 57.181659] aa_unpack+0x20b0/0x4c30[ 57.181662] srso_alias_return_thunk+0x5/0xfbef5[ 57.181664] stack_depot_save_flags+0x33/0x700[ 57.181681] kasan_save_track+0x4f/0x80[ 57.181683] kasan_save_track+0x3e/0x80[ 57.181686] __kasan_kmalloc+0x93/0xb0[ 57.181688] __kvmalloc_node_noprof+0x44a/0x780[ 57.181693] aa_simple_write_to_buffer+0x54/0x130[ 57.181697] policy_update+0x154/0x330[ 57.181704] aa_replace_profiles+0x15a/0x1dd0[ 57.181707] srso_alias_return_thunk+0x5/0xfbef5[ 57.181710] __kvmalloc_node_noprof+0x44a/0x780[ 57.181712] aa_loaddata_alloc+0x77/0x140[ 57.181715] srso_alias_return_thunk+0x5/0xfbef5[ 57.181717] _copy_from_user+0x2a/0x70[ 57.181730] policy_update+0x17a/0x330[ 57.181733] profile_replace+0x153/0x1a0[ 57.181735] rw_verify_area+0x93/0x2d0[ 57.181740] vfs_write+0x235/0xab0[ 57.181745] ksys_write+0xb0/0x170[ 57.181748] do_syscall_64+0x8e/0x660[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e[ 57.181765] RIP: 0033:0x7f6192792eb2Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLEentries unconditionally.

Risk Information

Base Score
7.8
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.012

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234