CVE-2026-23406

EUVD-2026-17834

01.04.2026, 09:16

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix side-effect bug in match_char() macro usage

The match_char() macro evaluates its character parameter multiple
times when traversing differential encoding chains. When invoked
with *str++, the string pointer advances on each iteration of the
inner do-while loop, causing the DFA to check different characters
at each iteration and therefore skip input characters.
This results in out-of-bounds reads when the pointer advances past
the input buffer boundary.

[   94.984676] ==================================================================
[   94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760
[   94.985655] Read of size 1 at addr ffff888100342000 by task file/976

[   94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)
[   94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   94.986329] Call Trace:
[   94.986341]  <TASK>
[   94.986347]  dump_stack_lvl+0x5e/0x80
[   94.986374]  print_report+0xc8/0x270
[   94.986384]  ? aa_dfa_match+0x5ae/0x760
[   94.986388]  kasan_report+0x118/0x150
[   94.986401]  ? aa_dfa_match+0x5ae/0x760
[   94.986405]  aa_dfa_match+0x5ae/0x760
[   94.986408]  __aa_path_perm+0x131/0x400
[   94.986418]  aa_path_perm+0x219/0x2f0
[   94.986424]  apparmor_file_open+0x345/0x570
[   94.986431]  security_file_open+0x5c/0x140
[   94.986442]  do_dentry_open+0x2f6/0x1120
[   94.986450]  vfs_open+0x38/0x2b0
[   94.986453]  ? may_open+0x1e2/0x2b0
[   94.986466]  path_openat+0x231b/0x2b30
[   94.986469]  ? __x64_sys_openat+0xf8/0x130
[   94.986477]  do_file_open+0x19d/0x360
[   94.986487]  do_sys_openat2+0x98/0x100
[   94.986491]  __x64_sys_openat+0xf8/0x130
[   94.986499]  do_syscall_64+0x8e/0x660
[   94.986515]  ? count_memcg_events+0x15f/0x3c0
[   94.986526]  ? srso_alias_return_thunk+0x5/0xfbef5
[   94.986540]  ? handle_mm_fault+0x1639/0x1ef0
[   94.986551]  ? vma_start_read+0xf0/0x320
[   94.986558]  ? srso_alias_return_thunk+0x5/0xfbef5
[   94.986561]  ? srso_alias_return_thunk+0x5/0xfbef5
[   94.986563]  ? fpregs_assert_state_consistent+0x50/0xe0
[   94.986572]  ? srso_alias_return_thunk+0x5/0xfbef5
[   94.986574]  ? arch_exit_to_user_mode_prepare+0x9/0xb0
[   94.986587]  ? srso_alias_return_thunk+0x5/0xfbef5
[   94.986588]  ? irqentry_exit+0x3c/0x590
[   94.986595]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   94.986597] RIP: 0033:0x7fda4a79c3ea

Fix by extracting the character value before invoking match_char,
ensuring single evaluation per outer loop.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	6.1.164-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.251-1 fixed
forky	6.19.8-1 fixed
sid	6.19.10-1 fixed
trixie	vulnerable
trixie (security)	6.12.74-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-hwe

bionic	ignored
jammy	dne
noble	dne
questing	dne
xenial	needs-triage

linux-hwe-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-hwe-5.19

jammy	ignored
noble	dne
questing	dne

linux-hwe-6.2

jammy	ignored
noble	dne
questing	dne

linux-hwe-6.5

jammy	ignored
noble	dne
questing	dne

linux-hwe-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-hwe-6.11

jammy	dne
noble	ignored
questing	dne

linux-hwe-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-hwe-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-hwe-edge

bionic	ignored
jammy	dne
noble	dne
questing	dne
xenial	ignored

linux-lts-xenial

jammy	dne
noble	dne
questing	dne
trusty	needs-triage

linux-kvm

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne
xenial	needs-triage

linux-allwinner-5.19

jammy	ignored
noble	dne
questing	dne

linux-aws

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-aws-5.0

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-aws-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-aws-5.19

jammy	ignored
noble	dne
questing	dne

linux-aws-6.2

jammy	ignored
noble	dne
questing	dne

linux-aws-6.5

jammy	ignored
noble	dne
questing	dne

linux-aws-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-aws-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-aws-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-aws-hwe

jammy	dne
noble	dne
questing	dne
xenial	needs-triage

linux-azure

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-azure-4.15

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-azure-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-5.19

jammy	ignored
noble	dne
questing	dne

linux-azure-6.2

jammy	ignored
noble	dne
questing	dne

linux-azure-6.5

jammy	ignored
noble	dne
questing	dne

linux-azure-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-azure-6.11

jammy	dne
noble	ignored
questing	dne

linux-azure-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-azure-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-azure-fde

focal	ignored
jammy	needs-triage
noble	needs-triage
questing	needs-triage

linux-azure-fde-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-fde-5.19

jammy	ignored
noble	dne
questing	dne

linux-azure-fde-6.2

jammy	ignored
noble	dne
questing	dne

linux-azure-fde-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-azure-fde-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-azure-fde-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-azure-nvidia

jammy	dne
noble	needs-triage
questing	dne

linux-azure-nvidia-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-bluefield

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-edge

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne
xenial	needs-triage

linux-aws-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-azure-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-fips

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
xenial	needs-triage

linux-gcp-4.15

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gcp-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-gcp-5.19

jammy	ignored
noble	dne
questing	dne

linux-gcp-6.2

jammy	ignored
noble	dne
questing	dne

linux-gcp-6.5

jammy	ignored
noble	dne
questing	dne

linux-gcp-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-gcp-6.11

jammy	dne
noble	ignored
questing	dne

linux-gcp-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-gcp-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-gke

focal	ignored
jammy	needs-triage
noble	needs-triage
questing	dne

linux-gke-4.15

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gke-5.4

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-gkeop

focal	ignored
jammy	needs-triage
noble	needs-triage
questing	dne

linux-gkeop-5.4

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-gkeop-5.15

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-ibm

focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	dne

linux-ibm-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-ibm-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-ibm-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-intel-iotg

jammy	needs-triage
noble	dne
questing	dne

linux-intel-iotg-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-iot

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-intel-iot-realtime

jammy	ignored
noble	dne
questing	dne

linux-lowlatency

jammy	needs-triage
noble	needs-triage
questing	dne

linux-lowlatency-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-lowlatency-hwe-5.19

jammy	ignored
noble	dne
questing	dne

linux-lowlatency-hwe-6.2

jammy	ignored
noble	dne
questing	dne

linux-lowlatency-hwe-6.5

jammy	ignored
noble	dne
questing	dne

linux-lowlatency-hwe-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-lowlatency-hwe-6.11

jammy	dne
noble	ignored
questing	dne

linux-nvidia

jammy	needs-triage
noble	needs-triage
questing	dne

linux-nvidia-6.2

jammy	ignored
noble	dne
questing	dne

linux-nvidia-6.5

jammy	ignored
noble	dne
questing	dne

linux-nvidia-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-nvidia-6.11

jammy	dne
noble	ignored
questing	dne

linux-nvidia-lowlatency

jammy	dne
noble	needs-triage
questing	dne

linux-nvidia-tegra

jammy	needs-triage
noble	needs-triage
questing	dne

linux-nvidia-tegra-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-nvidia-tegra-igx

jammy	needs-triage
noble	dne
questing	dne

linux-oracle

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
xenial	needs-triage

linux-oracle-5.0

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.3

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oracle-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-oracle-6.5

jammy	ignored
noble	dne
questing	dne

linux-oracle-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-oracle-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-oracle-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-oem

bionic	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-oem-5.17

jammy	ignored
noble	dne
questing	dne

linux-oem-6.0

jammy	ignored
noble	dne
questing	dne

linux-oem-6.1

jammy	ignored
noble	dne
questing	dne

linux-oem-6.5

jammy	ignored
noble	dne
questing	dne

linux-oem-6.8

jammy	dne
noble	ignored
questing	dne

linux-oem-6.11

jammy	dne
noble	ignored
questing	dne

linux-oem-6.14

jammy	dne
noble	needs-triage
questing	dne

linux-oem-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-raspi

focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage

linux-raspi2

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-raspi-5.4

bionic	needs-triage
jammy	dne
noble	dne
questing	dne

linux-raspi-realtime

jammy	dne
noble	ignored
questing	dne

linux-realtime

jammy	ignored
noble	ignored
questing	needs-triage

linux-realtime-6.8

jammy	dne
noble	dne
questing	dne

linux-realtime-6.14

jammy	dne
noble	dne
questing	dne

linux-riscv

focal	ignored
jammy	ignored
noble	ignored
questing	needs-triage

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne
questing	dne

linux-riscv-5.15

focal	needs-triage
jammy	dne
noble	dne
questing	dne

linux-riscv-5.19

jammy	ignored
noble	dne
questing	dne

linux-riscv-6.5

jammy	ignored
noble	dne
questing	dne

linux-riscv-6.8

jammy	needs-triage
noble	dne
questing	dne

linux-riscv-6.14

jammy	dne
noble	ignored
questing	dne

linux-riscv-6.17

jammy	dne
noble	needs-triage
questing	dne

linux-starfive-5.19

jammy	ignored
noble	dne
questing	dne

linux-starfive-6.2

jammy	ignored
noble	dne
questing	dne

linux-starfive-6.5

jammy	ignored
noble	dne
questing	dne

linux-xilinx

jammy	dne
noble	needs-triage
questing	dne

linux-xilinx-zynqmp

focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne

linux-realtime-6.17

jammy	dne
noble	dne
questing	dne

References

https://git.kernel.org/stable/c/0510d1ba0976f97f521feb2b75b0572ea5df3ceb

https://git.kernel.org/stable/c/383b7270faf42564f133134c2fc3c24bbae52615

https://git.kernel.org/stable/c/5a184f7cbdeaad17e16dedf3c17d0cd622edfed8

https://git.kernel.org/stable/c/8756b68edae37ff546c02091989a4ceab3f20abd

https://git.kernel.org/stable/c/b73c1dff8a9d7eeaebabf8097a5b2de192f40913