CVE-2026-23411
Published: 01 April 2026
Summary
CVE-2026-23411 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely application of kernel patches that relocate the i_private reference put to inode eviction, eliminating the use-after-free race condition in AppArmor.
Provides kernel memory protections such as KASLR and SMEP/DEP to hinder exploitation of the use-after-free access to freed i_private data by filesystem callbacks.
Minimizes attack surface by configuring the kernel to disable non-essential modules like AppArmor, avoiding exposure to this race condition if not required for operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in AppArmor directly enables privilege escalation via use-after-free memory access.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system.…
more
However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/loaddata is the most likely candidate to fail the race, as it has the fewest references. If properly crafted it might be possible to trigger a race for the other types stored in i_private. Fix this by moving the put of i_private referenced data to the correct place which is during inode eviction.
Deeper analysisAI
CVE-2026-23411 is a race condition vulnerability in the Linux kernel's AppArmor module. The issue arises when AppArmor releases a reference to i_private data after removing the corresponding entry from the file system, while the inode may persist longer. This allows filesystem callback functions to access the data after it has been freed, creating a race between data freeing and filesystem access. Rawdata/loaddata structures are the most likely to trigger the failure due to fewer references, though crafted scenarios might affect other i_private data types.
A local attacker with low privileges can exploit this vulnerability, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation requires low attack complexity and no user interaction, potentially leading to high impacts on confidentiality, integrity, and availability through use-after-free access to kernel memory.
Mitigation involves applying kernel patches from the provided stable commit references, which relocate the reference put operation to inode eviction, ensuring data is not accessed after freeing. The top references include kernel.org stable commits such as 13bc2772414d68e94e273dea013181a986948ddf, 2a732ed26fbd048e7925d227af8cf9ea43fb5cc9, 3ddb961d2929bbb3204a2bba21b5d8153cd3f7cc, 667df93769c02ff581c77d2d8f162147e719c557, and 8e135b8aee5a06c52a4347a5a6d51223c6f36ba3.
Details
- CWE(s)