CVE-2026-23403
Description
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix memory leak in verify_header
The function sets *ns = NULL on every call, leaking the namespace string allocated in previous iterations when multiple profiles are unpacked. This also breaks namespace consistency checking since *ns is always NULL when the comparison is made.
Remove the incorrect assignment. The caller (aa_unpack) initializes *ns to NULL once before the loop, which is sufficient.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's AppArmor, verify_header leaks namespace strings across profile unpack loops and breaks consistency checking; fix removes the flawed assignment.
Vulnerability
In the Linux kernel's AppArmor security module, the function verify_header() contains a memory leak triggered during the unpacking of multiple profiles. The function unconditionally sets *ns = NULL at the start of each call, discarding any previously allocated namespace string without freeing it. Because the caller aa_unpack() loops over profiles while reusing the same ns pointer, each iteration leaks the memory allocated for the previous profile's namespace, and also prevents namespace consistency checks from functioning correctly — since *ns is always NULL when compared.
Exploitation
The bug is triggered by normal kernel operations that load AppArmor profiles from user space, such as policy updates or system startup. No special privileges beyond those required to load profiles (typically root or a process with CAP_MAC_ADMIN) are needed to trigger the leak. An attacker who can repeatedly cause profile reloads could exhaust kernel memory, leading to a denial-of-service condition. The leak also undermines namespace verification, but the security impact depends on the kernel's configuration and the specific policy being loaded.
Impact
An attacker able to repeatedly trigger AppArmor profile loads can cause a kernel memory leak, eventually exhausting system memory and resulting in a denial of service. The broken namespace consistency check could also allow loading profiles from unintended namespaces, potentially bypassing security boundaries.
Mitigation
The fix [1] simply removes the incorrect *ns = NULL assignment in verify_header(), relying on the caller aa_unpack() which already initializes *ns to NULL once before the loop [1]. The patch has been merged into the Linux kernel stable trees as commits [1][2][3][4]. Users should update their kernels to the latest stable releases containing these commits.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.12.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:3.12:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/42fd831abfc15d0643c14688f0522556b347e7e6nvdPatch
- git.kernel.org/stable/c/4f0889f2df1ab99224a5e1ac4e20437eea5fe38envdPatch
- git.kernel.org/stable/c/663ce34786e759ebcbeb3060685c20bcc886d51anvdPatch
- git.kernel.org/stable/c/6b79abcb3c985e153fcf9d395e1d4336081aabc2nvdPatch
- git.kernel.org/stable/c/786e2c2a87d9c505f33321d1fd23a176aa8ddeb1nvdPatch
- git.kernel.org/stable/c/9d678eb0fe55c9195d9a253e8c5b82a87b930737nvdPatch
- git.kernel.org/stable/c/bcf82c0c5a8b383fd2d5d8f3fd880cdcab2ac557nvdPatch
- git.kernel.org/stable/c/e38c55d9f834e5b848bfed0f5c586aaf45acb825nvdPatch
News mentions
0No linked articles in our index yet.