In the Linux kernel, the function aa_get_buffer() prematurely decrements a per‑CPU hold counter without checking for underflow. If the counter reaches zero while a buffer remains counted, it wraps to a very large value and the buffer is never returned to the global list. The buffer starvation prevents other CPUs from reclaiming memory and forces repeated kmalloc(aa_g_path_max) allocations, ultimately exhausting memory resources. The weakness manifests as an integer underflow (CWE‑189) and results in a denial‑of‑service condition where the system becomes unresponsive due to lack of available buffers.

All Linux kernel releases are potentially affected, as the vulnerability originates from the apparmor subsystem within the kernel source tree. The fix is applied to all kernel versions that include the patch referenced in the advisory. Linux distribution maintainers who use kernels without the guard will be susceptible to the buffer starvation issue.

The vulnerability is local to the system; it requires execution of code that invokes aa_get_buffer(), which typically occurs during normal kernel operations for any user process interacting with AppArmor profiles. Because the flaw is an internal kernel bug rather than an externally exposed interface, the attack vector is inferred to be local privilege or any user with kernel execution rights. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog, suggesting limited public exploitation data. However, the impact of memory exhaustion and the absence of a countermeasure in vulnerable kernels elevate the risk, especially in environments with heavy AppArmor usage.