Description
In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix race on rawdata dereference

There is a race condition that leads to a use-after-free situation:
because the rawdata inodes are not refcounted, an attacker can start
open()ing one of the rawdata files, and at the same time remove the
last reference to this rawdata (by removing the corresponding profile,
for example), which frees its struct aa_loaddata; as a result, when
seq_rawdata_open() is reached, i_private is a dangling pointer and
freed memory is accessed.

The rawdata inodes weren't refcounted to avoid a circular refcount and
were supposed to be held by the profile rawdata reference. However
during profile removal there is a window where the vfs and profile
destruction race, resulting in the use after free.

Fix this by moving to a double refcount scheme. Where the profile
refcount on rawdata is used to break the circular dependency. Allowing
for freeing of the rawdata once all inode references to the rawdata
are put.
Published: 2026-04-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free in AppArmor rawdata can lead to memory corruption
Action: Immediate Patch
AI Analysis

Impact

In the Linux kernel, a race condition in the AppArmor module allows a use‑after‑free when a user opens a rawdata file while simultaneously removing its corresponding profile. The rawdata inode is not reference‑counted, so the kernel can free the associated aa_loaddata structure after the profile is deleted. When seq_rawdata_open later dereferences the i_private pointer, it accesses freed memory, potentially corrupting data or allowing arbitrary code execution. This vulnerability satisfies CWE‑911, indicating a data‑structure misuse that may compromise confidentiality, integrity, or availability.

Affected Systems

The affected components are the Linux kernel implementations of AppArmor rawdata inodes. All distributions that ship the original Linux kernel AppArmor code are potentially impacted. No specific kernel revisions are enumerated in the advisory, so any kernel containing the unpatched rawdata handling code is at risk.

Risk and Exploitability

The CVSS base score of 7.8 indicates a high severity vulnerability. The EPSS score is below 1 %, suggesting that exploitation is unlikely in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need local access with the ability to both open a rawdata file and delete its AppArmor profile, such as a privileged user or a compromised process. The race can be triggered by concurrent operations, so the attack vector is likely local. The impact could be significant if the attacker can cause the kernel to dereference invalid memory, leading to potential crashes or privilege escalation.

Generated by OpenCVE AI on April 2, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel patch that implements the double‑refcount scheme for AppArmor rawdata inodes
  • If an update is not yet available, avoid concurrently deleting AppArmor profiles while processes may access rawdata files; ensure no open file operations occur during profile removal
  • Consider temporarily disabling or restricting AppArmor profile management on systems until the kernel patch is applied

Generated by OpenCVE AI on April 2, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8152-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8164-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8165-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8201-1 Linux kernel (Azure) vulnerabilities
History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:4.13:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 01 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put.
Title apparmor: fix race on rawdata dereference
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:45.958Z

Reserved: 2026-01-13T15:37:46.013Z

Link: CVE-2026-23410

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T09:16:17.093

Modified: 2026-04-24T15:23:43.253

Link: CVE-2026-23410

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-01T00:00:00Z

Links: CVE-2026-23410 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:28Z

Weaknesses