CVE-2026-23405 - Vulnerability Details

- apparmor: fix: limit the number of levels of policy namespaces

Description

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix: limit the number of levels of policy namespaces

Currently the number of policy namespaces is not bounded relying on
the user namespace limit. However policy namespaces aren't strictly
tied to user namespaces and it is possible to create them and nest
them arbitrarily deep which can be used to exhaust system resource.

Hard cap policy namespaces to the same depth as user namespaces.

Published: 2026-04-01

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises because the Linux kernel allows policy namespaces to be nested without an upper bound, relying solely on the user namespace limit. An attacker can create arbitrarily deep policy namespace hierarchies, exhausting system resources and potentially causing service interruptions or system crashes. The flaw represents unbounded resource consumption and can undermine system availability without directly compromising data confidentiality or integrity.

Affected Systems

The issue is present in the Linux kernel across all distributions that ship a kernel version containing unbounded policy namespace logic. The CVE notes the fix that hard‑caps policy namespace depth to match user namespace depth, but no specific kernel releases or version ranges are listed. Therefore any kernel build predating the patch is potentially vulnerable unless the vendor has applied the change.

Risk and Exploitability

EPSS is reported as below 1 % and the vulnerability is not in the CISA KEV catalog, indicating limited known exploitation. The likely attack vector is local or requires privileged kernel access, as creating and nesting policy namespaces requires kernel capabilities. Given the potential for resource exhaustion, the risk can be rated as moderate, but the probability of exploitation remains low under normal circumstances.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c88d4c7b049e87998ac0a9f455aa545cc895ef92`	affected	< 6b396cc2f0365e684fc1d3547d18ef79fcee225d
`c88d4c7b049e87998ac0a9f455aa545cc895ef92`	affected	< 87d0cecc900e55d55fc4dbfb43ac93e269c7a5b3
`c88d4c7b049e87998ac0a9f455aa545cc895ef92`	affected	< b1226e37eb3754d389721c135db6107db94c7a72
`c88d4c7b049e87998ac0a9f455aa545cc895ef92`	affected	< 3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e
`c88d4c7b049e87998ac0a9f455aa545cc895ef92`	affected	< 853ce31ca72097d23991a06876a2ccb5cb64b603
`c88d4c7b049e87998ac0a9f455aa545cc895ef92`	affected	< d42b2b6bb77ca40ee34ab74ad79305840b5f315d
`c88d4c7b049e87998ac0a9f455aa545cc895ef92`	affected	< 7b6495ead2c611647f6b11441a852324e3eb8616
`c88d4c7b049e87998ac0a9f455aa545cc895ef92`	affected	< 306039414932c80f8420695a24d4fe10c84ccfb2

Linux

affected

Version	Status	Constraints
`2.6.36`	affected	—
`0`	unaffected	< 2.6.36
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.169`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.18`	unaffected	≤ 6.18.*
`6.19.8`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.36:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c88d4c7b049e87998ac0a9f455aa545cc895ef92,3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e)`	affected	code_commit	—
`[3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e,853ce31ca72097d23991a06876a2ccb5cb64b603)`	affected	code_commit	—
`[853ce31ca72097d23991a06876a2ccb5cb64b603,d42b2b6bb77ca40ee34ab74ad79305840b5f315d)`	affected	code_commit	—
`[d42b2b6bb77ca40ee34ab74ad79305840b5f315d,7b6495ead2c611647f6b11441a852324e3eb8616)`	affected	code_commit	—
`[7b6495ead2c611647f6b11441a852324e3eb8616,306039414932c80f8420695a24d4fe10c84ccfb2)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.36`	affected	semver	—
`[0,2.6.36)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.18,6.19.0)`	unaffected	semver	—
`[6.19.8,6.20.0)`	unaffected	semver	—
`[7.0-rc4,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that implements the policy namespace depth limitation.
Verify that the running kernel version includes the patch, for example by checking the commit ID or vendor release notes.

Generated by OpenCVE AI on April 2, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8152-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-8163-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8164-1	Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN	USN-8165-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8163-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8201-1	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/306039414932c80f8420695a24d4fe10c84ccfb2
https://git.kernel.org/stable/c/3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e
https://git.kernel.org/stable/c/6b396cc2f0365e684fc1d3547d18ef79fcee225d
https://git.kernel.org/stable/c/7b6495ead2c611647f6b11441a852324e3eb8616
https://git.kernel.org/stable/c/853ce31ca72097d23991a06876a2ccb5cb64b603
https://git.kernel.org/stable/c/87d0cecc900e55d55fc4dbfb43ac93e269c7a5b3
https://git.kernel.org/stable/c/b1226e37eb3754d389721c135db6107db94c7a72
https://git.kernel.org/stable/c/d42b2b6bb77ca40ee34ab74ad79305840b5f315d
https://lore.kernel.org/linux-cve-announce/2026040111-CVE-2026-23405-0e7a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23405
https://www.cve.org/CVERecord?id=CVE-2026-23405

History

Fri, 24 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:2.6.36:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/6b396cc2f0365e684fc1d3547d18ef79fcee225d https://git.kernel.org/stable/c/87d0cecc900e55d55fc4dbfb43ac93e269c7a5b3 https://git.kernel.org/stable/c/b1226e37eb3754d389721c135db6107db94c7a72

Thu, 02 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://lore.kernel.org/linux-cve-announce/2026040111-CVE-2026-23405-0e7a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23405 https://www.cve.org/CVERecord?id=CVE-2026-23405

Wed, 01 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: apparmor: fix: limit the number of levels of policy namespaces Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces.
Title		apparmor: fix: limit the number of levels of policy namespaces
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/306039414932c80f8420695a24d4fe10c84ccfb2 https://git.kernel.org/stable/c/3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e https://git.kernel.org/stable/c/7b6495ead2c611647f6b11441a852324e3eb8616 https://git.kernel.org/stable/c/853ce31ca72097d23991a06876a2ccb5cb64b603 https://git.kernel.org/stable/c/d42b2b6bb77ca40ee34ab74ad79305840b5f315d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-01T08:36:35.697Z

Updated: 2026-04-18T08:58:39.212Z

Reserved: 2026-01-13T15:37:46.012Z

Link: CVE-2026-23405

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-01T09:16:16.153

Modified: 2026-04-24T18:40:27.023

Link: CVE-2026-23405

Redhat

Severity :

Publid Date: 2026-04-01T00:00:00Z

Links: CVE-2026-23405 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T20:17:54Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object