{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23269", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-18T17:54:42.988Z", "dateUpdated": "2026-05-11T22:03:35.779Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:35.779Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: validate DFA start states are in bounds in unpack_pdb\n\nStart states are read from untrusted data and used as indexes into the\nDFA state tables. The aa_dfa_next() function call in unpack_pdb() will\naccess dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds\nthe number of states in the DFA, this results in an out-of-bound read.\n\n==================================================================\n BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360\n Read of size 4 at addr ffff88811956fb90 by task su/1097\n ...\n\nReject policies with out-of-bounds start states during unpacking\nto prevent the issue."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy_unpack.c"], "versions": [{"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "f43eea8ae0102ea198da211ef7f5ce83725ecf19", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "5487871b2b56c19d26936ed6fdc62652b30941df", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "07cf6320f40ea2ccfad63728cff34ecb309d03da", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "0baadb0eece2c4d939db10d3c323b4652ac79a58", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "3bb7db43e32190c973d4019037cedb7895920184", "status": "affected", "versionType": "git"}, {"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592", "lessThan": "9063d7e2615f4a7ab321de6b520e23d370e58816", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy_unpack.c"], "versions": [{"version": "3.4", "status": "affected"}, {"version": "0", "lessThan": "3.4", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.18", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.8", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "6.19.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f43eea8ae0102ea198da211ef7f5ce83725ecf19"}, {"url": "https://git.kernel.org/stable/c/5487871b2b56c19d26936ed6fdc62652b30941df"}, {"url": "https://git.kernel.org/stable/c/5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a"}, {"url": "https://git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03da"}, {"url": "https://git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c"}, {"url": "https://git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58"}, {"url": "https://git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184"}, {"url": "https://git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816"}, {"url": "https://www.qualys.com/2026/03/10/crack-armor.txt"}], "title": "apparmor: validate DFA start states are in bounds in unpack_pdb", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: validate DFA start states are in bounds in unpack_pdb\n\nStart states are read from untrusted data and used as indexes into the\nDFA state tables. The aa_dfa_next() function call in unpack_pdb() will\naccess dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds\nthe number of states in the DFA, this results in an out-of-bound read.\n\n==================================================================\n BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360\n Read of size 4 at addr ffff88811956fb90 by task su/1097\n ...\n\nReject policies with out-of-bounds start states during unpacking\nto prevent the issue."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\napparmor: validar que los estados iniciales de DFA est\u00e1n dentro de los l\u00edmites en unpack_pdb\n\nLos estados iniciales se leen de datos no confiables y se usan como \u00edndices en las tablas de estados de DFA. La llamada a la funci\u00f3n aa_dfa_next() en unpack_pdb() acceder\u00e1 a dfa->tables[YYTD_ID_BASE][start], y si el estado inicial excede el n\u00famero de estados en el DFA, esto resulta en una lectura fuera de l\u00edmites.\n\n==================================================================\nERROR: KASAN: slab-out-of-bounds en aa_dfa_next+0x2a1/0x360\nLectura de tama\u00f1o 4 en la direcci\u00f3n ffff88811956fb90 por la tarea su/1097\n...\n\nRechazar pol\u00edticas con estados iniciales fuera de l\u00edmites durante el desempaquetado para prevenir el problema."}], "id": "CVE-2026-23269", "lastModified": "2026-04-18T09:16:15.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-18T18:16:25.907", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03da"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5487871b2b56c19d26936ed6fdc62652b30941df"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f43eea8ae0102ea198da211ef7f5ce83725ecf19"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://www.qualys.com/2026/03/10/crack-armor.txt"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: apparmor: validate DFA start states are in bounds in unpack_pdb", "id": "2448753", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448753"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23269", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23269\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23269\nhttps://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23269-2bf7@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad5ff3db53c68c2f12936bc74ea5dfe0af943592,15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad5ff3db53c68c2f12936bc74ea5dfe0af943592,0baadb0eece2c4d939db10d3c323b4652ac79a58)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad5ff3db53c68c2f12936bc74ea5dfe0af943592,3bb7db43e32190c973d4019037cedb7895920184)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ad5ff3db53c68c2f12936bc74ea5dfe0af943592,9063d7e2615f4a7ab321de6b520e23d370e58816)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.18,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.8,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc4,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-02T22:46:54.793071+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the AppArmor start\u2011state bounds check", "If an immediate kernel update is not feasible, restrict the loading of untrusted AppArmor policy files using filesystem ACLs or other security controls", "Verify the integrity of all AppArmor policy files and kernel modules via checksums or digital signatures"], "summary": {"action": "Update kernel", "impact": "Kernel Out\u2011of\u2011Bound Read"}, "threat_synthesis": {"affected_systems": "The flaw resides in the core Linux kernel and therefore affects any Linux distribution that includes the AppArmor module as part of its kernel. No specific kernel release range is listed by the CNA; the patch that resolves the issue was committed in March\u202f2026 and is incorporated into all kernel releases that contain that commit.", "description_and_impact": "The AppArmor subsystem in the Linux kernel reads start\u2011state values from policy files that may be supplied by untrusted sources. During the unpacking of a policy the kernel interprets these values as indices into its deterministic finite automaton (DFA) tables. If a start state exceeds the number of entries in the DFA table, the kernel performs an out\u2011of\u2011bounds read of kernel memory. This read can expose privileged information and may serve as a foothold for further exploitation, such as privilege escalation.", "risk_and_exploitability": "The CVSS v3 score of 7.1 classifies this issue as high severity. The EPSS score is below 1\u202f%, indicating that exploitation is unlikely to be widespread, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to craft an AppArmor policy containing an out\u2011of\u2011bounds start state and to trigger its loading by the system. The resulting read can expose kernel data, and with additional steps could lead to privilege escalation."}}}}, "created": "2026-03-19T08:55:49.552907+00:00", "updated": "2026-04-03T09:39:21.735463+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-125", "CWE-129"]}