CVE-2026-23408 - Vulnerability Details

- apparmor: Fix double free of ns_name in aa_replace_profiles()

Description

In the Linux kernel, the following vulnerability has been resolved:

apparmor: Fix double free of ns_name in aa_replace_profiles()

if ns_name is NULL after
1071 error = aa_unpack(udata, &lh, &ns_name);

and if ent->ns_name contains an ns_name in
1089 } else if (ent->ns_name) {

then ns_name is assigned the ent->ns_name
1095 ns_name = ent->ns_name;

however ent->ns_name is freed at
1262 aa_load_ent_free(ent);

and then again when freeing ns_name at
1270 kfree(ns_name);

Fix this by NULLing out ent->ns_name after it is transferred to ns_name

")

Published: 2026-04-01

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A double free occurs within the AppArmor subsystem of the Linux kernel when the namespace name pointer is duplicated and subsequently freed twice. This memory management flaw can corrupt kernel memory, potentially leading to a kernel crash or, if exploited, privilege escalation. The weakness is classified as CWE‑1341, indicating an unmatched deallocation error. The CVSS score of 7.8 denotes a high severity.

Affected Systems

All installations of the Linux kernel that include the AppArmor module and run versions prior to the patch commit are affected. The CPE list indicates linux:linux_kernel, so every distribution using an older kernel version that has not incorporated the fix is vulnerable. No specific vendor or version numbers are listed, so systems should treat any kernel version before the commit as vulnerable.

Risk and Exploitability

The EPSS score is below 1 %, suggesting a low probability that an exploit will appear in the near term. The vulnerability is not listed in the CISA KEV catalog, indicating no known public exploits. The attack vector is likely local, requiring the attacker to have code execution with kernel privileges or to exploit a local exploit that can run within the kernel. If successful, the attacker could cause a denial‑of‑service or elevate privileges. Due to the high CVSS score, the risk to systems that have not applied the patch remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`145a0ef21c8e944957f58e2c8ffcd8a10f46266a`	affected	< c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689
`145a0ef21c8e944957f58e2c8ffcd8a10f46266a`	affected	< c053ae381ce227577567d1ef10090ce7506d7a28
`145a0ef21c8e944957f58e2c8ffcd8a10f46266a`	affected	< 35f4caec1352054b9a61cfdf2bf1898073637aa0
`145a0ef21c8e944957f58e2c8ffcd8a10f46266a`	affected	< 55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a
`145a0ef21c8e944957f58e2c8ffcd8a10f46266a`	affected	< 86feeccd6b93ed94bd6655f30de80f163f8d5a45
`145a0ef21c8e944957f58e2c8ffcd8a10f46266a`	affected	< 7998ab3010d2317643f91828f1853d954ef31387
`145a0ef21c8e944957f58e2c8ffcd8a10f46266a`	affected	< 18b5233e860c294a847ee07869d93c0b8673a54b
`145a0ef21c8e944957f58e2c8ffcd8a10f46266a`	affected	< 5df0c44e8f5f619d3beb871207aded7c78414502

Linux

affected

Version	Status	Constraints
`5.5`	affected	—
`0`	unaffected	< 5.5
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.169`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.18`	unaffected	≤ 6.18.*
`6.19.8`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a)`	affected	code_commit	—
`[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,86feeccd6b93ed94bd6655f30de80f163f8d5a45)`	affected	code_commit	—
`[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,7998ab3010d2317643f91828f1853d954ef31387)`	affected	code_commit	—
`[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,18b5233e860c294a847ee07869d93c0b8673a54b)`	affected	code_commit	—
`[145a0ef21c8e944957f58e2c8ffcd8a10f46266a,5df0c44e8f5f619d3beb871207aded7c78414502)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.5`	affected	semver	—
`[0,5.5)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.18,6.19.0)`	unaffected	semver	—
`[6.19.8,*]`	unaffected	generic	—
`[7.0-rc4,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that nulls out ent->ns_name after it is transferred, ensuring the double free is eliminated
Reboot the system to clear any state that may have been corrupted by the double free
Verify the running kernel version to confirm the fix is in place

Generated by OpenCVE AI on April 2, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8152-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-8163-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8164-1	Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN	USN-8165-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8163-2	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b
https://git.kernel.org/stable/c/35f4caec1352054b9a61cfdf2bf1898073637aa0
https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a
https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502
https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387
https://git.kernel.org/stable/c/86feeccd6b93ed94bd6655f30de80f163f8d5a45
https://git.kernel.org/stable/c/c053ae381ce227577567d1ef10090ce7506d7a28
https://git.kernel.org/stable/c/c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689
https://lore.kernel.org/linux-cve-announce/2026040113-CVE-2026-23408-1932@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23408
https://www.cve.org/CVERecord?id=CVE-2026-23408

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/35f4caec1352054b9a61cfdf2bf1898073637aa0 https://git.kernel.org/stable/c/c053ae381ce227577567d1ef10090ce7506d7a28 https://git.kernel.org/stable/c/c6347a2116ecccb8fd9ee4ebc75ae41d1d7ef689

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 02 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1341
References		https://lore.kernel.org/linux-cve-announce/2026040113-CVE-2026-23408-1932@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23408 https://www.cve.org/CVERecord?id=CVE-2026-23408

Wed, 01 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix double free of ns_name in aa_replace_profiles() if ns_name is NULL after 1071 error = aa_unpack(udata, &lh, &ns_name); and if ent->ns_name contains an ns_name in 1089 } else if (ent->ns_name) { then ns_name is assigned the ent->ns_name 1095 ns_name = ent->ns_name; however ent->ns_name is freed at 1262 aa_load_ent_free(ent); and then again when freeing ns_name at 1270 kfree(ns_name); Fix this by NULLing out ent->ns_name after it is transferred to ns_name ")
Title		apparmor: Fix double free of ns_name in aa_replace_profiles()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502 https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387 https://git.kernel.org/stable/c/86feeccd6b93ed94bd6655f30de80f163f8d5a45

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-01T08:36:37.873Z

Updated: 2026-04-18T08:58:43.247Z

Reserved: 2026-01-13T15:37:46.013Z

Link: CVE-2026-23408

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-01T09:16:16.747

Modified: 2026-04-18T09:16:25.303

Link: CVE-2026-23408

Redhat

Severity :

Publid Date: 2026-04-01T00:00:00Z

Links: CVE-2026-23408 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T20:22:29Z

Weaknesses

CWE-1341

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object