CVE-2026-23410
Published: 01 April 2026
Summary
CVE-2026-23410 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the AppArmor race condition use-after-free by applying Linux kernel patches that implement a double refcount scheme for rawdata inodes.
Provides kernel memory protection mechanisms like freelist randomization and guard pages that mitigate exploitation of the use-after-free in struct aa_loaddata.
Enables vulnerability scanning to identify Linux kernel versions vulnerable to this AppArmor rawdata race condition for timely patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition in AppArmor directly enables exploitation for privilege escalation to achieve code execution or root access.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one…
more
of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put.
Deeper analysisAI
CVE-2026-23410 is a race condition vulnerability in the Linux kernel's AppArmor subsystem that results in a use-after-free when dereferencing rawdata inodes. The issue occurs because rawdata inodes lack refcounting to avoid circular dependencies, creating a window during profile removal where the VFS and profile destruction can race. An attacker can open a rawdata file while simultaneously removing the last reference to the rawdata, such as by removing the corresponding profile, leading to a dangling pointer in seq_rawdata_open() and access to freed memory in struct aa_loaddata. It affects the Linux kernel and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-362.
A local attacker with low privileges can exploit this vulnerability by initiating an open() on a rawdata file concurrent with the removal of the profile's rawdata reference. This triggers the use-after-free, enabling high-impact effects on confidentiality, integrity, and availability, such as potential memory corruption or code execution depending on the freed memory's reuse.
Mitigation is provided through patches in Linux kernel stable branches that introduce a double refcount scheme, using the profile refcount on rawdata to resolve the circular dependency and allow safe freeing once all inode references are dropped. Key commits include 3b8e77c7abab40e6de9ad9de730d77984a498840, 6b6ba87579c7e7c669e0bec91823e7fb693bc5df, 6ef1f2926c41ab96952d9696d55a052f1b3a9418, 763e838adc3c7ec5a7df2990ce84cad951e42721, and a0b7091c4de45a7325c8780e6934a894f92ac86b, available via kernel.org stable git repositories.
Details
- CWE(s)