CVE-2026-23269
Published: 18 March 2026
Summary
CVE-2026-23269 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-23269 is an out-of-bounds read vulnerability in the Linux kernel's AppArmor subsystem, specifically within the unpack_pdb function. Start states parsed from untrusted policy data are used as indexes into DFA state tables without bounds validation, leading to an out-of-bounds read in aa_dfa_next when the start state exceeds the number of states in the DFA. This issue was detected via KASAN as a slab-out-of-bounds read of size 4.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation results in high confidentiality and availability impacts, such as information disclosure through memory reads or denial of service via kernel crashes, but without integrity impact.
The provided kernel patch references detail the mitigation, which rejects AppArmor policies containing out-of-bounds start states during the unpacking process to prevent the invalid indexing. These fixes are available in stable kernel commits, including 07cf6320f40ea2ccfad63728cff34ecb309d03da, 0baadb0eece2c4d939db10d3c323b4652ac79a58, 15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c, 3bb7db43e32190c973d4019037cedb7895920184, and 5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12912
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call…
more
in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read enables kernel memory disclosure (credential access) and crashes (DoS via exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of untrusted AppArmor policy inputs such as DFA start states to ensure they are within bounds, directly preventing the out-of-bounds read during unpacking.
Mandates proper error handling for invalid inputs like out-of-bounds start states, enabling rejection of malformed policies to avoid kernel memory access errors.
Provides memory protections that mitigate out-of-bounds reads in kernel DFA state tables even if input validation fails.