{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23408", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.013Z", "datePublished": "2026-04-01T08:36:37.873Z", "dateUpdated": "2026-05-11T22:06:19.995Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:19.995Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix double free of ns_name in aa_replace_profiles()\n\nif ns_name is NULL after\n1071 error = aa_unpack(udata, &lh, &ns_name);\n\nand if ent->ns_name contains an ns_name in\n1089 } else if (ent->ns_name) {\n\nthen ns_name is assigned the ent->ns_name\n1095 ns_name = ent->ns_name;\n\nhowever ent->ns_name is freed at\n1262 aa_load_ent_free(ent);\n\nand then again when freeing ns_name at\n1270 kfree(ns_name);\n\nFix this by NULLing out ent->ns_name after it is transferred to ns_name\n\n\")"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy.c"], "versions": [{"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "c053ae381ce227577567d1ef10090ce7506d7a28", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "35f4caec1352054b9a61cfdf2bf1898073637aa0", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "86feeccd6b93ed94bd6655f30de80f163f8d5a45", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "7998ab3010d2317643f91828f1853d954ef31387", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "18b5233e860c294a847ee07869d93c0b8673a54b", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "5df0c44e8f5f619d3beb871207aded7c78414502", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.18", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.8", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.19.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689"}, {"url": "https://git.kernel.org/stable/c/c053ae381ce227577567d1ef10090ce7506d7a28"}, {"url": "https://git.kernel.org/stable/c/35f4caec1352054b9a61cfdf2bf1898073637aa0"}, {"url": "https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a"}, {"url": "https://git.kernel.org/stable/c/86feeccd6b93ed94bd6655f30de80f163f8d5a45"}, {"url": "https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387"}, {"url": "https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b"}, {"url": "https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502"}], "title": "apparmor: Fix double free of ns_name in aa_replace_profiles()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "45E871E1-B00E-4E88-83A3-60B38EAF2B8A", "versionEndExcluding": "5.10.253", "versionStartIncluding": "5.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "346AD1FB-0CE8-4D9D-8E56-5EB1A4D06199", "versionEndExcluding": "6.18.18", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C65A7D85-C7C6-485E-AC35-66A374C73FAC", "versionEndExcluding": "6.19.8", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*", "matchCriteriaId": "EE98F46A-F7D9-4609-B6A0-882E7F0D378C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix double free of ns_name in aa_replace_profiles()\n\nif ns_name is NULL after\n1071 error = aa_unpack(udata, &lh, &ns_name);\n\nand if ent->ns_name contains an ns_name in\n1089 } else if (ent->ns_name) {\n\nthen ns_name is assigned the ent->ns_name\n1095 ns_name = ent->ns_name;\n\nhowever ent->ns_name is freed at\n1262 aa_load_ent_free(ent);\n\nand then again when freeing ns_name at\n1270 kfree(ns_name);\n\nFix this by NULLing out ent->ns_name after it is transferred to ns_name\n\n\")"}], "id": "CVE-2026-23408", "lastModified": "2026-04-24T15:24:02.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-01T09:16:16.747", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/35f4caec1352054b9a61cfdf2bf1898073637aa0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/86feeccd6b93ed94bd6655f30de80f163f8d5a45"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c053ae381ce227577567d1ef10090ce7506d7a28"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: apparmor: Fix double free of ns_name in aa_replace_profiles()", "id": "2453798", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453798"}, "csaw": false, "cwe": "CWE-1341", "details": ["A flaw was found in AppArmor within the Linux kernel. This vulnerability involves a double free of the `ns_name` variable in the `aa_replace_profiles()` function. This can occur when `ns_name` is assigned from `ent->ns_name` without properly nulling out `ent->ns_name`, leading to it being freed twice. A local attacker could potentially exploit this memory corruption to cause a denial of service or other unpredictable system behavior."], "name": "CVE-2026-23408", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23408\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23408\nhttps://lore.kernel.org/linux-cve-announce/2026040113-CVE-2026-23408-1932@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,86feeccd6b93ed94bd6655f30de80f163f8d5a45)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,7998ab3010d2317643f91828f1853d954ef31387)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,18b5233e860c294a847ee07869d93c0b8673a54b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,5df0c44e8f5f619d3beb871207aded7c78414502)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.18,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.8,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc4,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:51:49.791585+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that nulls out ent->ns_name after it is transferred, ensuring the double free is eliminated", "Reboot the system to clear any state that may have been corrupted by the double free", "Monitor kernel logs for abnormal crashes or memory corruption indicators during the transition period"], "summary": {"action": "Patch", "impact": "Kernel memory corruption that may trigger a crash or privilege escalation"}, "threat_synthesis": {"affected_systems": "All installations of the Linux kernel that include the AppArmor module and run versions prior to the patch commit are affected. The CPE list indicates linux:linux_kernel, so every distribution using an older kernel version that has not incorporated the fix is vulnerable. No specific vendor or version numbers are listed, so systems should treat any kernel version before the commit as vulnerable.", "description_and_impact": "A double free occurs within the AppArmor subsystem of the Linux kernel when the namespace name pointer is duplicated and subsequently freed twice. This memory management flaw can corrupt kernel memory, potentially leading to a kernel crash or, if exploited, privilege escalation. The weakness is classified as CWE\u20111341 and CWE\u2011415, indicating an unmatched deallocation error and a double free. The CVSS score of 7.8 denotes a high severity.", "risk_and_exploitability": "The EPSS score is below 1\u202f%, suggesting a low probability that an exploit will appear in the near term. The vulnerability is not listed in the CISA KEV catalog, indicating no known public exploits. The attack vector is likely local, requiring the attacker to have code execution with kernel privileges or to exploit a local exploit that can run within the kernel. If successful, the attacker could cause a denial\u2011of\u2011service or elevate privileges. Due to the high CVSS score, the risk to systems that have not applied the patch remains significant."}}}}, "created": "2026-04-02T07:49:35.866941+00:00", "updated": "2026-04-28T17:00:13.440608+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}