CVE-2026-23406 (GCVE-0-2026-23406)

Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-02 14:44
VLAI?
Title
apparmor: fix side-effect bug in match_char() macro usage
Summary
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix side-effect bug in match_char() macro usage The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past the input buffer boundary. [ 94.984676] ================================================================== [ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760 [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976 [ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 94.986329] Call Trace: [ 94.986341] <TASK> [ 94.986347] dump_stack_lvl+0x5e/0x80 [ 94.986374] print_report+0xc8/0x270 [ 94.986384] ? aa_dfa_match+0x5ae/0x760 [ 94.986388] kasan_report+0x118/0x150 [ 94.986401] ? aa_dfa_match+0x5ae/0x760 [ 94.986405] aa_dfa_match+0x5ae/0x760 [ 94.986408] __aa_path_perm+0x131/0x400 [ 94.986418] aa_path_perm+0x219/0x2f0 [ 94.986424] apparmor_file_open+0x345/0x570 [ 94.986431] security_file_open+0x5c/0x140 [ 94.986442] do_dentry_open+0x2f6/0x1120 [ 94.986450] vfs_open+0x38/0x2b0 [ 94.986453] ? may_open+0x1e2/0x2b0 [ 94.986466] path_openat+0x231b/0x2b30 [ 94.986469] ? __x64_sys_openat+0xf8/0x130 [ 94.986477] do_file_open+0x19d/0x360 [ 94.986487] do_sys_openat2+0x98/0x100 [ 94.986491] __x64_sys_openat+0xf8/0x130 [ 94.986499] do_syscall_64+0x8e/0x660 [ 94.986515] ? count_memcg_events+0x15f/0x3c0 [ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986540] ? handle_mm_fault+0x1639/0x1ef0 [ 94.986551] ? vma_start_read+0xf0/0x320 [ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0 [ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0 [ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986588] ? irqentry_exit+0x3c/0x590 [ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 94.986597] RIP: 0033:0x7fda4a79c3ea Fix by extracting the character value before invoking match_char, ensuring single evaluation per outer loop.
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 074c1cd798cb0b481d7eaa749b64aa416563c053 , < 5a184f7cbdeaad17e16dedf3c17d0cd622edfed8 (git)
Affected: 074c1cd798cb0b481d7eaa749b64aa416563c053 , < b73c1dff8a9d7eeaebabf8097a5b2de192f40913 (git)
Affected: 074c1cd798cb0b481d7eaa749b64aa416563c053 , < 0510d1ba0976f97f521feb2b75b0572ea5df3ceb (git)
Affected: 074c1cd798cb0b481d7eaa749b64aa416563c053 , < 383b7270faf42564f133134c2fc3c24bbae52615 (git)
Affected: 074c1cd798cb0b481d7eaa749b64aa416563c053 , < 8756b68edae37ff546c02091989a4ceab3f20abd (git)
Create a notification for this product.
    Linux Linux Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.18.18 , ≤ 6.18.* (semver)
Unaffected: 6.19.8 , ≤ 6.19.* (semver)
Unaffected: 7.0-rc4 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/apparmor/match.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5a184f7cbdeaad17e16dedf3c17d0cd622edfed8",
              "status": "affected",
              "version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
              "versionType": "git"
            },
            {
              "lessThan": "b73c1dff8a9d7eeaebabf8097a5b2de192f40913",
              "status": "affected",
              "version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
              "versionType": "git"
            },
            {
              "lessThan": "0510d1ba0976f97f521feb2b75b0572ea5df3ceb",
              "status": "affected",
              "version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
              "versionType": "git"
            },
            {
              "lessThan": "383b7270faf42564f133134c2fc3c24bbae52615",
              "status": "affected",
              "version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
              "versionType": "git"
            },
            {
              "lessThan": "8756b68edae37ff546c02091989a4ceab3f20abd",
              "status": "affected",
              "version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/apparmor/match.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0-rc4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.18",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.8",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0-rc4",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix side-effect bug in match_char() macro usage\n\nThe match_char() macro evaluates its character parameter multiple\ntimes when traversing differential encoding chains. When invoked\nwith *str++, the string pointer advances on each iteration of the\ninner do-while loop, causing the DFA to check different characters\nat each iteration and therefore skip input characters.\nThis results in out-of-bounds reads when the pointer advances past\nthe input buffer boundary.\n\n[   94.984676] ==================================================================\n[   94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760\n[   94.985655] Read of size 1 at addr ffff888100342000 by task file/976\n\n[   94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)\n[   94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   94.986329] Call Trace:\n[   94.986341]  \u003cTASK\u003e\n[   94.986347]  dump_stack_lvl+0x5e/0x80\n[   94.986374]  print_report+0xc8/0x270\n[   94.986384]  ? aa_dfa_match+0x5ae/0x760\n[   94.986388]  kasan_report+0x118/0x150\n[   94.986401]  ? aa_dfa_match+0x5ae/0x760\n[   94.986405]  aa_dfa_match+0x5ae/0x760\n[   94.986408]  __aa_path_perm+0x131/0x400\n[   94.986418]  aa_path_perm+0x219/0x2f0\n[   94.986424]  apparmor_file_open+0x345/0x570\n[   94.986431]  security_file_open+0x5c/0x140\n[   94.986442]  do_dentry_open+0x2f6/0x1120\n[   94.986450]  vfs_open+0x38/0x2b0\n[   94.986453]  ? may_open+0x1e2/0x2b0\n[   94.986466]  path_openat+0x231b/0x2b30\n[   94.986469]  ? __x64_sys_openat+0xf8/0x130\n[   94.986477]  do_file_open+0x19d/0x360\n[   94.986487]  do_sys_openat2+0x98/0x100\n[   94.986491]  __x64_sys_openat+0xf8/0x130\n[   94.986499]  do_syscall_64+0x8e/0x660\n[   94.986515]  ? count_memcg_events+0x15f/0x3c0\n[   94.986526]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986540]  ? handle_mm_fault+0x1639/0x1ef0\n[   94.986551]  ? vma_start_read+0xf0/0x320\n[   94.986558]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986561]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986563]  ? fpregs_assert_state_consistent+0x50/0xe0\n[   94.986572]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986574]  ? arch_exit_to_user_mode_prepare+0x9/0xb0\n[   94.986587]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986588]  ? irqentry_exit+0x3c/0x590\n[   94.986595]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[   94.986597] RIP: 0033:0x7fda4a79c3ea\n\nFix by extracting the character value before invoking match_char,\nensuring single evaluation per outer loop."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T14:44:35.415Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5a184f7cbdeaad17e16dedf3c17d0cd622edfed8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b73c1dff8a9d7eeaebabf8097a5b2de192f40913"
        },
        {
          "url": "https://git.kernel.org/stable/c/0510d1ba0976f97f521feb2b75b0572ea5df3ceb"
        },
        {
          "url": "https://git.kernel.org/stable/c/383b7270faf42564f133134c2fc3c24bbae52615"
        },
        {
          "url": "https://git.kernel.org/stable/c/8756b68edae37ff546c02091989a4ceab3f20abd"
        }
      ],
      "title": "apparmor: fix side-effect bug in match_char() macro usage",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23406",
    "datePublished": "2026-04-01T08:36:36.460Z",
    "dateReserved": "2026-01-13T15:37:46.013Z",
    "dateUpdated": "2026-04-02T14:44:35.415Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23406\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-01T09:16:16.327\",\"lastModified\":\"2026-04-02T15:16:33.503\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\napparmor: fix side-effect bug in match_char() macro usage\\n\\nThe match_char() macro evaluates its character parameter multiple\\ntimes when traversing differential encoding chains. When invoked\\nwith *str++, the string pointer advances on each iteration of the\\ninner do-while loop, causing the DFA to check different characters\\nat each iteration and therefore skip input characters.\\nThis results in out-of-bounds reads when the pointer advances past\\nthe input buffer boundary.\\n\\n[   94.984676] ==================================================================\\n[   94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760\\n[   94.985655] Read of size 1 at addr ffff888100342000 by task file/976\\n\\n[   94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)\\n[   94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\\n[   94.986329] Call Trace:\\n[   94.986341]  \u003cTASK\u003e\\n[   94.986347]  dump_stack_lvl+0x5e/0x80\\n[   94.986374]  print_report+0xc8/0x270\\n[   94.986384]  ? aa_dfa_match+0x5ae/0x760\\n[   94.986388]  kasan_report+0x118/0x150\\n[   94.986401]  ? aa_dfa_match+0x5ae/0x760\\n[   94.986405]  aa_dfa_match+0x5ae/0x760\\n[   94.986408]  __aa_path_perm+0x131/0x400\\n[   94.986418]  aa_path_perm+0x219/0x2f0\\n[   94.986424]  apparmor_file_open+0x345/0x570\\n[   94.986431]  security_file_open+0x5c/0x140\\n[   94.986442]  do_dentry_open+0x2f6/0x1120\\n[   94.986450]  vfs_open+0x38/0x2b0\\n[   94.986453]  ? may_open+0x1e2/0x2b0\\n[   94.986466]  path_openat+0x231b/0x2b30\\n[   94.986469]  ? __x64_sys_openat+0xf8/0x130\\n[   94.986477]  do_file_open+0x19d/0x360\\n[   94.986487]  do_sys_openat2+0x98/0x100\\n[   94.986491]  __x64_sys_openat+0xf8/0x130\\n[   94.986499]  do_syscall_64+0x8e/0x660\\n[   94.986515]  ? count_memcg_events+0x15f/0x3c0\\n[   94.986526]  ? srso_alias_return_thunk+0x5/0xfbef5\\n[   94.986540]  ? handle_mm_fault+0x1639/0x1ef0\\n[   94.986551]  ? vma_start_read+0xf0/0x320\\n[   94.986558]  ? srso_alias_return_thunk+0x5/0xfbef5\\n[   94.986561]  ? srso_alias_return_thunk+0x5/0xfbef5\\n[   94.986563]  ? fpregs_assert_state_consistent+0x50/0xe0\\n[   94.986572]  ? srso_alias_return_thunk+0x5/0xfbef5\\n[   94.986574]  ? arch_exit_to_user_mode_prepare+0x9/0xb0\\n[   94.986587]  ? srso_alias_return_thunk+0x5/0xfbef5\\n[   94.986588]  ? irqentry_exit+0x3c/0x590\\n[   94.986595]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n[   94.986597] RIP: 0033:0x7fda4a79c3ea\\n\\nFix by extracting the character value before invoking match_char,\\nensuring single evaluation per outer loop.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0510d1ba0976f97f521feb2b75b0572ea5df3ceb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/383b7270faf42564f133134c2fc3c24bbae52615\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5a184f7cbdeaad17e16dedf3c17d0cd622edfed8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8756b68edae37ff546c02091989a4ceab3f20abd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b73c1dff8a9d7eeaebabf8097a5b2de192f40913\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.