CVE-2026-23406
Published: 01 April 2026
Summary
CVE-2026-23406 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the kernel flaw in AppArmor's aa_dfa_match function to eliminate the out-of-bounds read vulnerability.
Implements memory protection mechanisms such as address space layout randomization and supervisor mode protections to mitigate out-of-bounds reads from the pointer advancement bug.
Restricts system to least functionality by disabling non-essential AppArmor module, avoiding execution of the vulnerable aa_dfa_match code path during file operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read in AppArmor enables exploitation for privilege escalation to achieve full C/I/A compromise.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix side-effect bug in match_char() macro usage The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances…
more
on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past the input buffer boundary. [ 94.984676] ================================================================== [ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760 [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976 [ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 94.986329] Call Trace: [ 94.986341] <TASK> [ 94.986347] dump_stack_lvl+0x5e/0x80 [ 94.986374] print_report+0xc8/0x270 [ 94.986384] ? aa_dfa_match+0x5ae/0x760 [ 94.986388] kasan_report+0x118/0x150 [ 94.986401] ? aa_dfa_match+0x5ae/0x760 [ 94.986405] aa_dfa_match+0x5ae/0x760 [ 94.986408] __aa_path_perm+0x131/0x400 [ 94.986418] aa_path_perm+0x219/0x2f0 [ 94.986424] apparmor_file_open+0x345/0x570 [ 94.986431] security_file_open+0x5c/0x140 [ 94.986442] do_dentry_open+0x2f6/0x1120 [ 94.986450] vfs_open+0x38/0x2b0 [ 94.986453] ? may_open+0x1e2/0x2b0 [ 94.986466] path_openat+0x231b/0x2b30 [ 94.986469] ? __x64_sys_openat+0xf8/0x130 [ 94.986477] do_file_open+0x19d/0x360 [ 94.986487] do_sys_openat2+0x98/0x100 [ 94.986491] __x64_sys_openat+0xf8/0x130 [ 94.986499] do_syscall_64+0x8e/0x660 [ 94.986515] ? count_memcg_events+0x15f/0x3c0 [ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986540] ? handle_mm_fault+0x1639/0x1ef0 [ 94.986551] ? vma_start_read+0xf0/0x320 [ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0 [ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0 [ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986588] ? irqentry_exit+0x3c/0x590 [ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 94.986597] RIP: 0033:0x7fda4a79c3ea Fix by extracting the character value before invoking match_char, ensuring single evaluation per outer loop.
Deeper analysisAI
CVE-2026-23406 is a vulnerability in the Linux kernel's AppArmor security module. The issue arises from a side-effect bug in the usage of the match_char() macro within the aa_dfa_match function. This macro evaluates its character parameter, passed as *str++, multiple times when traversing differential encoding chains, causing the string pointer to advance unexpectedly on each iteration of an inner do-while loop. As a result, the DFA checks incorrect characters and skips input, leading to out-of-bounds reads beyond the input buffer boundary. Kernel Address Sanitizer (KASAN) logs confirm slab-out-of-bounds reads of size 1 during aa_dfa_match, triggered in the call chain from apparmor_file_open via security_file_open and vfs_open.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs during file open operations under AppArmor policy enforcement, such as in path_openat and do_sys_openat syscalls, potentially allowing high-impact compromise of confidentiality, integrity, and availability through out-of-bounds memory access (CWE-125).
Mitigation requires applying upstream Linux kernel patches from the stable repository. The fix extracts the character value before invoking match_char() to ensure single evaluation per outer loop iteration, preventing pointer advancement issues. Relevant commits include: https://git.kernel.org/stable/c/0510d1ba0976f97f521feb2b75b0572ea5df3ceb, https://git.kernel.org/stable/c/1fc94f16098213d01e56c97feed9b3ecf0147a37, https://git.kernel.org/stable/c/383b7270faf42564f133134c2fc3c24bbae52615, https://git.kernel.org/stable/c/5a184f7cbdeaad17e16dedf3c17d0cd622edfed8, and https://git.kernel.org/stable/c/8756b68edae37ff546c02091989a4ceab3f20abd.
Details
- CWE(s)