Cyber Resilience

CVE-2026-23269

HighUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
29 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0002 4.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23269 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-23269 is an out-of-bounds read vulnerability in the Linux kernel's AppArmor subsystem, specifically within the unpack_pdb function. Start states parsed from untrusted policy data are used as indexes into DFA state tables without bounds validation, leading to an out-of-bounds read in aa_dfa_next when the start state exceeds the number of states in the DFA. This issue was detected via KASAN as a slab-out-of-bounds read of size 4.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation results in high confidentiality and availability impacts, such as information disclosure through memory reads or denial of service via kernel crashes, but without integrity impact.

The provided kernel patch references detail the mitigation, which rejects AppArmor policies containing out-of-bounds start states during the unpacking process to prevent the invalid indexing. These fixes are available in stable kernel commits, including 07cf6320f40ea2ccfad63728cff34ecb309d03da, 0baadb0eece2c4d939db10d3c323b4652ac79a58, 15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c, 3bb7db43e32190c973d4019037cedb7895920184, and 5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call…

more

in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read enables kernel memory disclosure (credential access) and crashes (DoS via exploitation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21743Same product: Linux Linux Kernel
CVE-2026-31774Same product: Linux Linux Kernel
CVE-2026-23325Same product: Linux Linux Kernel
CVE-2025-21815Same product: Linux Linux Kernel
CVE-2026-31779Same product: Linux Linux Kernel
CVE-2026-43051Same product: Linux Linux Kernel
CVE-2026-31568Same product: Linux Linux Kernel
CVE-2026-43042Same product: Linux Linux Kernel
CVE-2026-23204Same product: Linux Linux Kernel
CVE-2026-23363Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 3.4 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.169

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted AppArmor policy inputs such as DFA start states to ensure they are within bounds, directly preventing the out-of-bounds read during unpacking.

prevent

Mandates proper error handling for invalid inputs like out-of-bounds start states, enabling rejection of malformed policies to avoid kernel memory access errors.

prevent

Provides memory protections that mitigate out-of-bounds reads in kernel DFA state tables even if input validation fails.

References