CVE-2026-23269
Description
In the Linux kernel, the following vulnerability has been resolved:
apparmor: validate DFA start states are in bounds in unpack_pdb
Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read.
================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ...
Reject policies with out-of-bounds start states during unpacking to prevent the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's AppArmor, unpack_pdb() fails to validate DFA start states, leading to an out-of-bounds read via aa_dfa_next().
Vulnerability
CVE-2026-23269 is an out-of-bounds read vulnerability in the Linux kernel's AppArmor security module. The flaw resides in the unpack_pdb() function, which reads DFA (Deterministic Finite Automaton) start states from untrusted policy data. These start states are used as indexes into the DFA state tables without proper bounds checking. When aa_dfa_next() accesses dfa->tables[YYTD_ID_BASE][start], a start state exceeding the number of states in the DFA triggers a slab-out-of-bounds read, as demonstrated by a KASAN report [1].\.
Exploitation
An attacker who can supply a crafted AppArmor policy (for example, by exploiting the confused-deputy problem described in the Qualys advisory [1]) can trigger this bug during policy unpacking. The attack requires the ability to load a malicious policy into the kernel, which may be achieved by an unprivileged local attacker in certain configurations [1].
Impact
Successful exploitation results in an out-of-bounds read, which can leak sensitive kernel memory or cause a denial of service (system crash). The Qualys advisory [1] notes that this is one of several AppArmor vulnerabilities that could be chained for privilege escalation or defense bypass.
Mitigation
The fix, merged into the Linux kernel stable branches [2][3][4], rejects policies with out-of-bounds start states during unpacking. Users should apply the latest kernel updates from their distribution. No workaround is available; the vulnerability is patched in updated kernels.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03danvd
- git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58nvd
- git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0cnvd
- git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184nvd
- git.kernel.org/stable/c/5443c027ec16afa55b1b8a3e7a1ab2ea3c77767anvd
- git.kernel.org/stable/c/5487871b2b56c19d26936ed6fdc62652b30941dfnvd
- git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816nvd
- git.kernel.org/stable/c/f43eea8ae0102ea198da211ef7f5ce83725ecf19nvd
- www.qualys.com/2026/03/10/crack-armor.txtnvd
News mentions
0No linked articles in our index yet.