CVE-2026-23408
Published: 01 April 2026
Summary
CVE-2026-23408 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and correction of the double-free flaw in the Linux kernel's AppArmor aa_replace_profiles() function via patching.
Enables detection of systems vulnerable to CVE-2026-23408 through periodic vulnerability scanning of kernel versions.
Provides memory safeguards like randomization and protections that mitigate exploitation of the double-free for memory corruption or code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free in kernel AppArmor enables local arbitrary code execution/priv esc via memory corruption.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix double free of ns_name in aa_replace_profiles() if ns_name is NULL after 1071 error = aa_unpack(udata, &lh, &ns_name); and if ent->ns_name contains an ns_name in 1089 } else if…
more
(ent->ns_name) { then ns_name is assigned the ent->ns_name 1095 ns_name = ent->ns_name; however ent->ns_name is freed at 1262 aa_load_ent_free(ent); and then again when freeing ns_name at 1270 kfree(ns_name); Fix this by NULLing out ent->ns_name after it is transferred to ns_name ")
Deeper analysisAI
CVE-2026-23408 is a double-free vulnerability (CWE-415) in the Linux kernel's AppArmor subsystem, specifically within the aa_replace_profiles() function. The issue arises when ns_name is NULL following the aa_unpack() call on user-provided data. If ent->ns_name contains a value, it is then assigned to ns_name, but ent->ns_name is subsequently freed during aa_load_ent_free(ent), followed by a second free of ns_name itself. This affects Linux kernel versions prior to the application of the referenced patches.
The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by a local attacker with low privileges and low complexity, without requiring user interaction. Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, such as memory corruption, arbitrary code execution, or kernel crashes via the double free.
Mitigation requires updating to a patched Linux kernel version. The upstream fixes, detailed in stable kernel commit references such as https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b, https://git.kernel.org/stable/c/35f4caec1352054b9a61cfdf2bf1898073637aa0, https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a, https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502, and https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387, resolve the issue by NULLing out ent->ns_name after transferring it to ns_name.
Details
- CWE(s)