{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23408", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.013Z", "datePublished": "2026-04-01T08:36:37.873Z", "dateUpdated": "2026-04-01T08:36:37.873Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-01T08:36:37.873Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix double free of ns_name in aa_replace_profiles()\n\nif ns_name is NULL after\n1071 error = aa_unpack(udata, &lh, &ns_name);\n\nand if ent->ns_name contains an ns_name in\n1089 } else if (ent->ns_name) {\n\nthen ns_name is assigned the ent->ns_name\n1095 ns_name = ent->ns_name;\n\nhowever ent->ns_name is freed at\n1262 aa_load_ent_free(ent);\n\nand then again when freeing ns_name at\n1270 kfree(ns_name);\n\nFix this by NULLing out ent->ns_name after it is transferred to ns_name\n\n\")"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy.c"], "versions": [{"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "86feeccd6b93ed94bd6655f30de80f163f8d5a45", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "7998ab3010d2317643f91828f1853d954ef31387", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "18b5233e860c294a847ee07869d93c0b8673a54b", "status": "affected", "versionType": "git"}, {"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a", "lessThan": "5df0c44e8f5f619d3beb871207aded7c78414502", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/policy.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.18", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.8", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.19.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "7.0-rc4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a"}, {"url": "https://git.kernel.org/stable/c/86feeccd6b93ed94bd6655f30de80f163f8d5a45"}, {"url": "https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387"}, {"url": "https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b"}, {"url": "https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502"}], "title": "apparmor: Fix double free of ns_name in aa_replace_profiles()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix double free of ns_name in aa_replace_profiles()\n\nif ns_name is NULL after\n1071 error = aa_unpack(udata, &lh, &ns_name);\n\nand if ent->ns_name contains an ns_name in\n1089 } else if (ent->ns_name) {\n\nthen ns_name is assigned the ent->ns_name\n1095 ns_name = ent->ns_name;\n\nhowever ent->ns_name is freed at\n1262 aa_load_ent_free(ent);\n\nand then again when freeing ns_name at\n1270 kfree(ns_name);\n\nFix this by NULLing out ent->ns_name after it is transferred to ns_name\n\n\")"}], "id": "CVE-2026-23408", "lastModified": "2026-04-01T14:23:37.727", "metrics": {}, "published": "2026-04-01T09:16:16.747", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/86feeccd6b93ed94bd6655f30de80f163f8d5a45"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: apparmor: Fix double free of ns_name in aa_replace_profiles()", "id": "2453798", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453798"}, "csaw": false, "cwe": "CWE-1341", "details": ["A flaw was found in AppArmor within the Linux kernel. This vulnerability involves a double free of the `ns_name` variable in the `aa_replace_profiles()` function. This can occur when `ns_name` is assigned from `ent->ns_name` without properly nulling out `ent->ns_name`, leading to it being freed twice. A local attacker could potentially exploit this memory corruption to cause a denial of service or other unpredictable system behavior."], "name": "CVE-2026-23408", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23408\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23408\nhttps://lore.kernel.org/linux-cve-announce/2026040113-CVE-2026-23408-1932@gregkh/T"]}

{}