{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23404", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.012Z", "datePublished": "2026-04-01T08:36:35.032Z", "dateUpdated": "2026-05-11T22:06:15.286Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:15.286Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: replace recursive profile removal with iterative approach\n\nThe profile removal code uses recursion when removing nested profiles,\nwhich can lead to kernel stack exhaustion and system crashes.\n\nReproducer:\n $ pf='a'; for ((i=0; i<1024; i++)); do\n echo -e \"profile $pf { \\n }\" | apparmor_parser -K -a;\n pf=\"$pf//x\";\n done\n $ echo -n a > /sys/kernel/security/apparmor/.remove\n\nReplace the recursive __aa_profile_list_release() approach with an\niterative approach in __remove_profile(). The function repeatedly\nfinds and removes leaf profiles until the entire subtree is removed,\nmaintaining the same removal semantic without recursion."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy.c"], "versions": [{"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92", "lessThan": "ea854f032190cc9f26dc4a0e727090c89e55e342", "status": "affected", "versionType": "git"}, {"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92", "lessThan": "4fdc847b107321dec22bf8ecd6019b7af76d7886", "status": "affected", "versionType": "git"}, {"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92", "lessThan": "b36a04284d0208be94e5e401409caa00e2bf1be1", "status": "affected", "versionType": "git"}, {"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92", "lessThan": "33959a491e9fd557abfa5fce5ae4637d400915d3", "status": "affected", "versionType": "git"}, {"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92", "lessThan": "999bd704b0b641527a5ed46f0d969deff8cfa68b", "status": "affected", "versionType": "git"}, {"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92", "lessThan": "7eade846e013cbe8d2dc4a484463aa19e6515c7f", "status": "affected", "versionType": "git"}, {"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92", "lessThan": "a6a941a1294ac5abe22053dc501d25aed96e48fe", "status": "affected", "versionType": "git"}, {"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92", "lessThan": "ab09264660f9de5d05d1ef4e225aa447c63a8747", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy.c"], "versions": [{"version": "2.6.36", "status": "affected"}, {"version": "0", "lessThan": "2.6.36", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.18", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.8", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.19.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ea854f032190cc9f26dc4a0e727090c89e55e342"}, {"url": "https://git.kernel.org/stable/c/4fdc847b107321dec22bf8ecd6019b7af76d7886"}, {"url": "https://git.kernel.org/stable/c/b36a04284d0208be94e5e401409caa00e2bf1be1"}, {"url": "https://git.kernel.org/stable/c/33959a491e9fd557abfa5fce5ae4637d400915d3"}, {"url": "https://git.kernel.org/stable/c/999bd704b0b641527a5ed46f0d969deff8cfa68b"}, {"url": "https://git.kernel.org/stable/c/7eade846e013cbe8d2dc4a484463aa19e6515c7f"}, {"url": "https://git.kernel.org/stable/c/a6a941a1294ac5abe22053dc501d25aed96e48fe"}, {"url": "https://git.kernel.org/stable/c/ab09264660f9de5d05d1ef4e225aa447c63a8747"}], "title": "apparmor: replace recursive profile removal with iterative approach", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A0CBC198-582C-40A0-A6C1-C5B39993F590", "versionEndExcluding": "5.10.253", "versionStartIncluding": "2.6.36.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "346AD1FB-0CE8-4D9D-8E56-5EB1A4D06199", "versionEndExcluding": "6.18.18", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C65A7D85-C7C6-485E-AC35-66A374C73FAC", "versionEndExcluding": "6.19.8", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.36:-:*:*:*:*:*:*", "matchCriteriaId": "D4407EF9-4ECF-408F-9ECB-0705E3FB65D5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: replace recursive profile removal with iterative approach\n\nThe profile removal code uses recursion when removing nested profiles,\nwhich can lead to kernel stack exhaustion and system crashes.\n\nReproducer:\n $ pf='a'; for ((i=0; i<1024; i++)); do\n echo -e \"profile $pf { \\n }\" | apparmor_parser -K -a;\n pf=\"$pf//x\";\n done\n $ echo -n a > /sys/kernel/security/apparmor/.remove\n\nReplace the recursive __aa_profile_list_release() approach with an\niterative approach in __remove_profile(). The function repeatedly\nfinds and removes leaf profiles until the entire subtree is removed,\nmaintaining the same removal semantic without recursion."}], "id": "CVE-2026-23404", "lastModified": "2026-04-24T18:40:10.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-01T09:16:15.977", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/33959a491e9fd557abfa5fce5ae4637d400915d3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4fdc847b107321dec22bf8ecd6019b7af76d7886"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7eade846e013cbe8d2dc4a484463aa19e6515c7f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/999bd704b0b641527a5ed46f0d969deff8cfa68b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a6a941a1294ac5abe22053dc501d25aed96e48fe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ab09264660f9de5d05d1ef4e225aa447c63a8747"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b36a04284d0208be94e5e401409caa00e2bf1be1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ea854f032190cc9f26dc4a0e727090c89e55e342"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: apparmor: replace recursive profile removal with iterative approach", "id": "2453799", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453799"}, "csaw": false, "cwe": "CWE-770", "details": ["A flaw was found in the Linux kernel's AppArmor security module. A local user could trigger a denial of service by initiating a recursive profile removal operation with deeply nested profiles. This recursive process can lead to kernel stack exhaustion, causing the system to crash."], "name": "CVE-2026-23404", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23404\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23404\nhttps://lore.kernel.org/linux-cve-announce/2026040111-CVE-2026-23404-8b0b@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c88d4c7b049e87998ac0a9f455aa545cc895ef92,33959a491e9fd557abfa5fce5ae4637d400915d3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c88d4c7b049e87998ac0a9f455aa545cc895ef92,999bd704b0b641527a5ed46f0d969deff8cfa68b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c88d4c7b049e87998ac0a9f455aa545cc895ef92,7eade846e013cbe8d2dc4a484463aa19e6515c7f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c88d4c7b049e87998ac0a9f455aa545cc895ef92,a6a941a1294ac5abe22053dc501d25aed96e48fe)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c88d4c7b049e87998ac0a9f455aa545cc895ef92,ab09264660f9de5d05d1ef4e225aa447c63a8747)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.36"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.36)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.18,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.8,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc4,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:54:09.000047+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a version that implements the iterative profile removal logic.", "If an update is not available, consider disabling the AppArmor subsystem or restricting profile deletion permissions to mitigate the recursion path.", "Monitor system logs for kernel stack exhaustion or panic messages that could indicate use of the vulnerable code path."], "summary": {"action": "Immediate Patch", "impact": "Kernel Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "Any system running a Linux kernel that includes the AppArmor module and has not yet migrated to the iterative profile removal logic is potentially vulnerable. The CVE does not provide a specific version range, so administrators should verify whether their current kernel implements the iterative approach found in recent kernel releases.", "description_and_impact": "The AppArmor subsystem in the Linux kernel originally used a recursive routine to delete nested security profiles. When a large hierarchy of profiles is removed, the unchecked recursion can exhaust the kernel stack and cause a panic, resulting in a complete system crash. This vulnerability is a classic resource\u2011exhaustion flaw associated with CWE\u2011770. Based on the description, it is inferred that an attacker would need the ability to create or delete many nested AppArmor profiles, which requires elevated privileges.", "risk_and_exploitability": "The EPSS score is below 1% and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating a low likelihood of real\u2011world exploitation. Based on the description, it is inferred that an attacker would need the ability to create or delete many nested AppArmor profiles, which typically requires elevated privileges. If exploited, the outcome is a kernel panic and complete denial of service until a reboot. The CVSS score of 5.5 classifies the vulnerability as medium severity."}}}}, "created": "2026-04-02T07:49:40.175143+00:00", "updated": "2026-04-28T22:00:14.145929+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}