CVE-2026-23406
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix side-effect bug in match_char() macro usage The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past the input buffer boundary. [ 94.984676] ================================================================== [ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760 [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976 [ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 94.986329] Call Trace: [ 94.986341] <TASK> [ 94.986347] dump_stack_lvl+0x5e/0x80 [ 94.986374] print_report+0xc8/0x270 [ 94.986384] ? aa_dfa_match+0x5ae/0x760 [ 94.986388] kasan_report+0x118/0x150 [ 94.986401] ? aa_dfa_match+0x5ae/0x760 [ 94.986405] aa_dfa_match+0x5ae/0x760 [ 94.986408] __aa_path_perm+0x131/0x400 [ 94.986418] aa_path_perm+0x219/0x2f0 [ 94.986424] apparmor_file_open+0x345/0x570 [ 94.986431] security_file_open+0x5c/0x140 [ 94.986442] do_dentry_open+0x2f6/0x1120 [ 94.986450] vfs_open+0x38/0x2b0 [ 94.986453] ? may_open+0x1e2/0x2b0 [ 94.986466] path_openat+0x231b/0x2b30 [ 94.986469] ? __x64_sys_openat+0xf8/0x130 [ 94.986477] do_file_open+0x19d/0x360 [ 94.986487] do_sys_openat2+0x98/0x100 [ 94.986491] __x64_sys_openat+0xf8/0x130 [ 94.986499] do_syscall_64+0x8e/0x660 [ 94.986515] ? count_memcg_events+0x15f/0x3c0 [ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986540] ? handle_mm_fault+0x1639/0x1ef0 [ 94.986551] ? vma_start_read+0xf0/0x320 [ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0 [ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0 [ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986588] ? irqentry_exit+0x3c/0x590 [ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 94.986597] RIP: 0033:0x7fda4a79c3ea Fix by extracting the character value before invoking match_char, ensuring single evaluation per outer loop.
EPSS 0.01% · 0.6th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| linux | linux_kernel | 4.17, 4.17, 4.17 |
| Linux | Linux | 074c1cd798cb0b481d7eaa749b64aa416563c053, 074c1cd798cb0b481d7eaa749b64aa416563c053, 074c1cd798cb0b481d7eaa749b64aa416563c053 |
Exploit Intelligence
- CIRCL seen: CVE-2026-23406 (circl-sighting)
- https://git.kernel.org/stable/c/5a184f7cbdeaad17e16dedf3c17d0cd622edfed8 (circl)
- https://git.kernel.org/stable/c/b73c1dff8a9d7eeaebabf8097a5b2de192f40913 (circl)
- https://git.kernel.org/stable/c/0510d1ba0976f97f521feb2b75b0572ea5df3ceb (circl)
- https://git.kernel.org/stable/c/383b7270faf42564f133134c2fc3c24bbae52615 (circl)
- https://git.kernel.org/stable/c/8756b68edae37ff546c02091989a4ceab3f20abd (circl)
- 4593.2.0.yml (github-poc)
- 4593.2.0.yml (github-poc)
- 4593.2.0.yml (github-poc)
- 4593.2.0.yml (github-poc)
…and 4 more exploits
Timeline
- Apr 1, 2026 CVE Published
- Apr 1, 2026 PoC Published
- Apr 1, 2026 Security Advisory
- Apr 24, 2026 CVE Updated
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Distribution Patch
References
- https://git.kernel.org/stable/c/5a184f7cbdeaad17e16dedf3c17d0cd622edfed8 url
- https://git.kernel.org/stable/c/b73c1dff8a9d7eeaebabf8097a5b2de192f40913 url
- https://git.kernel.org/stable/c/0510d1ba0976f97f521feb2b75b0572ea5df3ceb url
- https://git.kernel.org/stable/c/383b7270faf42564f133134c2fc3c24bbae52615 url
- https://git.kernel.org/stable/c/8756b68edae37ff546c02091989a4ceab3f20abd url
- https://nvd.nist.gov/vuln/detail/CVE-2026-23406 advisory
- https://ubuntu.com/security/notices/USN-8180-5 advisory
- https://ubuntu.com/security/notices/USN-8183-2 advisory
- https://ubuntu.com/security/notices/USN-8098-10 advisory
- https://ubuntu.com/security/notices/USN-8201-1 advisory
- https://ubuntu.com/security/notices/USN-8179-3 advisory
- https://ubuntu.com/security/notices/USN-8203-1 advisory
- https://ubuntu.com/security/notices/USN-8180-4 advisory
- https://ubuntu.com/security/notices/USN-8200-1 advisory
- https://ubuntu.com/security/notices/USN-8204-1 advisory
- https://ubuntu.com/security/notices/USN-8200-2 advisory
- https://ubuntu.com/security/notices/USN-8180-3 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621930-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621841-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-20262238-1 advisory
…and 78 more