Description
In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix differential encoding verification

Differential encoding allows loops to be created if it is abused. To
prevent this the unpack should verify that a diff-encode chain
terminates.

Unfortunately the differential encode verification had two bugs.

1. it conflated states that had gone through check and already been
marked, with states that were currently being checked and marked.
This means that loops in the current chain being verified are treated
as a chain that has already been verified.

2. the order bailout on already checked states compared current chain
check iterators j,k instead of using the outer loop iterator i.
Meaning a step backwards in states in the current chain verification
was being mistaken for moving to an already verified state.

Move to a double mark scheme where already verified states get a
different mark, than the current chain being kept. This enables us
to also drop the backwards verification check that was the cause of
the second error as any already verified state is already marked.
Published: 2026-04-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Prevent loops from differential encoding that could lead to denial of service
Action: Apply patch
AI Analysis

Impact

This vulnerability involves the apparmor component of the Linux kernel, specifically the verification of differential encoding chains. The bug allowed loops to be created when a differential encode chain was unchecked or incorrectly marked during verification. Because of this flaw, a loop could be introduced in the chain being verified, potentially leading to resource exhaustion or other denial‑of‑service conditions. The weakness is identified as CWE‑372: Incorrect Verification of Data or State.

Affected Systems

Affected systems are Linux kernel installations across all Linux distributions that include the apparmor subsystem. The patch addresses the flaw in the differential encode verification logic and is applicable to all kernel releases prior to the update that contains this fix.

Risk and Exploitability

No CVSS score is provided; however, the EPSS score is reported as less than 1 percent, indicating a very low probability of exploitation in the wild. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, suggesting no known public exploits. The likely attack vector would require the attacker to influence the Differential Encoding chain within the apparmor policy context; precise conditions are not detailed in the data.

Generated by OpenCVE AI on April 2, 2026 at 02:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the apparmor differential encoding verification fix
  • Verify that the kernel version has been updated to the patched release
  • If update is not immediately available, restrict influence over apparmor policy configuration to trusted users
  • Regularly monitor kernel release notes for related security updates

Generated by OpenCVE AI on April 2, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8152-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8164-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8165-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8201-1 Linux kernel (Azure) vulnerabilities
History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
CPEs cpe:2.3:o:linux:linux_kernel:4.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-372
References

Wed, 01 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: apparmor: fix differential encoding verification Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being verified are treated as a chain that has already been verified. 2. the order bailout on already checked states compared current chain check iterators j,k instead of using the outer loop iterator i. Meaning a step backwards in states in the current chain verification was being mistaken for moving to an already verified state. Move to a double mark scheme where already verified states get a different mark, than the current chain being kept. This enables us to also drop the backwards verification check that was the cause of the second error as any already verified state is already marked.
Title apparmor: fix differential encoding verification
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:44.586Z

Reserved: 2026-01-13T15:37:46.013Z

Link: CVE-2026-23409

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T09:16:16.913

Modified: 2026-04-24T15:23:55.877

Link: CVE-2026-23409

cve-icon Redhat

Severity :

Publid Date: 2026-04-01T00:00:00Z

Links: CVE-2026-23409 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:17:50Z

Weaknesses