Description
In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix unprivileged local user can do privileged policy management

An unprivileged local user can load, replace, and remove profiles by
opening the apparmorfs interfaces, via a confused deputy attack, by
passing the opened fd to a privileged process, and getting the
privileged process to write to the interface.

This does require a privileged target that can be manipulated to do
the write for the unprivileged process, but once such access is
achieved full policy management is possible and all the possible
implications that implies: removing confinement, DoS of system or
target applications by denying all execution, by-passing the
unprivileged user namespace restriction, to exploiting kernel bugs for
a local privilege escalation.

The policy management interface can not have its permissions simply
changed from 0666 to 0600 because non-root processes need to be able
to load policy to different policy namespaces.

Instead ensure the task writing the interface has privileges that
are a subset of the task that opened the interface. This is already
done via policy for confined processes, but unconfined can delegate
access to the opened fd, by-passing the usual policy check.
Published: 2026-03-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An attacker with ordinary local privileges can manipulate AppArmor by opening the apparmor filesystem interfaces and passing the resulting file descriptor to a privileged process. Through this confused‑deputy technique the privileged process performs writes that load, replace, or delete policies. Such unauthorized policy changes can remove confinement, deny execution of applications (DoS), bypass user‑namespace restrictions, or act as a foothold for further kernel‑level privilege escalation. The weakness is a failure of access control over the policy management interface.

Affected Systems

All Linux kernel versions that include AppArmor and have not yet applied the commit enforcing stricter access checks are affected. The issue is present in any distribution shipping the unpatched kernel, regardless of vendor. Specific kernel release numbers are not listed, so all unmodified kernels with AppArmor enabled should be considered vulnerable.

Risk and Exploitability

The CVSS v3 score of 7.8 indicates high severity, yet the EPSS probability is below 1%, implying a low chance of widespread exploitation. The vulnerability is not part of the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a local user to coerce a privileged process into performing the write; once this is achieved, the attacker gains full control of policy management and can compromise the system.

Generated by OpenCVE AI on April 3, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the AppArmor access‑check fix.
  • If an immediate kernel upgrade is not possible, enforce stricter permissions on the apparmorfs interfaces to prevent any unconfined process from initiating writes, and disable policy loading for unconfined users.
  • Disable AppArmor policy loading for unprivileged user namespaces where feasible.
  • Continuously monitor apparmorfs for unexpected policy changes and establish alerts for suspicious activity.

Generated by OpenCVE AI on April 3, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8141-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8152-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8164-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8165-1 Linux kernel (Azure FIPS) vulnerabilities
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-272
CWE-285

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-272
CWE-285

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-640

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-640

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-790

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-790

Mon, 23 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such access is achieved full policy management is possible and all the possible implications that implies: removing confinement, DoS of system or target applications by denying all execution, by-passing the unprivileged user namespace restriction, to exploiting kernel bugs for a local privilege escalation. The policy management interface can not have its permissions simply changed from 0666 to 0600 because non-root processes need to be able to load policy to different policy namespaces. Instead ensure the task writing the interface has privileges that are a subset of the task that opened the interface. This is already done via policy for confined processes, but unconfined can delegate access to the opened fd, by-passing the usual policy check.
Title apparmor: fix unprivileged local user can do privileged policy management
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T14:44:03.025Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23268

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:25.753

Modified: 2026-04-02T15:16:27.533

Link: CVE-2026-23268

cve-icon Redhat

Severity :

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23268 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:22Z

Weaknesses