Description
In the Linux kernel, the following vulnerability has been resolved:

apparmor: validate DFA start states are in bounds in unpack_pdb

Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.

==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...

Reject policies with out-of-bounds start states during unpacking
to prevent the issue.
Published: 2026-03-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Out‑of‑Bound Read
Action: Update kernel
AI Analysis

Impact

The AppArmor subsystem in the Linux kernel reads start‑state values from policy files that may be supplied by untrusted sources. During the unpacking of a policy the kernel interprets these values as indices into its deterministic finite automaton (DFA) tables. If a start state exceeds the number of entries in the DFA table, the kernel performs an out‑of‑bounds read of kernel memory. This read can expose privileged information and may serve as a foothold for further exploitation, such as privilege escalation.

Affected Systems

The flaw resides in the core Linux kernel and therefore affects any Linux distribution that includes the AppArmor module as part of its kernel. No specific kernel release range is listed by the CNA; the patch that resolves the issue was committed in March 2026 and is incorporated into all kernel releases that contain that commit.

Risk and Exploitability

The CVSS v3 score of 7.1 classifies this issue as high severity. The EPSS score is below 1 %, indicating that exploitation is unlikely to be widespread, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to craft an AppArmor policy containing an out‑of‑bounds start state and to trigger its loading by the system. The resulting read can expose kernel data, and with additional steps could lead to privilege escalation.

Generated by OpenCVE AI on April 2, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the AppArmor start‑state bounds check
  • If an immediate kernel update is not feasible, restrict the loading of untrusted AppArmor policy files using filesystem ACLs or other security controls
  • Verify the integrity of all AppArmor policy files and kernel modules via checksums or digital signatures

Generated by OpenCVE AI on April 2, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8141-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8152-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8164-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8165-1 Linux kernel (Azure FIPS) vulnerabilities
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-129

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-788

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-788

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Mon, 23 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue.
Title apparmor: validate DFA start states are in bounds in unpack_pdb
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T14:44:04.248Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23269

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:25.907

Modified: 2026-04-02T15:16:27.750

Link: CVE-2026-23269

cve-icon Redhat

Severity :

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23269 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:21Z

Weaknesses