CVE-2026-23410
Description
In the Linux kernel, the following vulnerability has been resolved:apparmor: fix race on rawdata dereferenceThere is a race condition that leads to a use-after-free situation:because the rawdata inodes are not refcounted, an attacker can startopen()ing one of the rawdata files, and at the same time remove thelast reference to this rawdata (by removing the corresponding profile,for example), which frees its struct aa_loaddata; as a result, whenseq_rawdata_open() is reached, i_private is a dangling pointer andfreed memory is accessed.The rawdata inodes werent refcounted to avoid a circular refcount andwere supposed to be held by the profile rawdata reference. Howeverduring profile removal there is a window where the vfs and profiledestruction race, resulting in the use after free.Fix this by moving to a double refcount scheme. Where the profilerefcount on rawdata is used to break the circular dependency. Allowingfor freeing of the rawdata once all inode references to the rawdataare put.
Risk Information
Associated Vulnerability
No records foundPatch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234