CVE-2026-23404
Description
In the Linux kernel, the following vulnerability has been resolved:
apparmor: replace recursive profile removal with iterative approach
The profile removal code uses recursion when removing nested profiles, which can lead to kernel stack exhaustion and system crashes.
Reproducer: $ pf='a'; for ((i=0; i<1024; i++)); do echo -e "profile $pf { \n }" | apparmor_parser -K -a; pf="$pf//x"; done $ echo -n a > /sys/kernel/security/apparmor/.remove
Replace the recursive __aa_profile_list_release() approach with an iterative approach in __remove_profile(). The function repeatedly finds and removes leaf profiles until the entire subtree is removed, maintaining the same removal semantic without recursion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Linux kernel's AppArmor module had a stack overflow due to recursive profile removal; fixed by an iterative approach.
Vulnerability
CVE-2026-23404 is a kernel stack exhaustion vulnerability in the Linux kernel's AppArmor security module. The __aa_profile_list_release() function used recursion to remove nested AppArmor profiles, which could lead to kernel stack exhaustion and system crashes when deeply nested profiles are deleted.
Exploitation
The vulnerability is triggered by creating a large number of nested AppArmor profiles using the apparmor_parser utility, then attempting to remove them by writing to /sys/kernel/security/apparmor/.remove. The reproducible attack involves creating 1024+ nested profiles, which causes the recursive removal function to overflow the kernel stack [1].
Impact
An attacker with local access to a system using AppArmor can cause a kernel stack overflow, leading to a denial of service via system crash. The CVSS v3 score of 5.5 reflects a medium severity, with the attack requiring local access and specific manipulation of AppArmor profiles [1].
Mitigation
The fix replaces the recursive __aa_profile_list_release() with an iterative approach in __remove_profile(), which repeatedly finds and removes leaf profiles until the entire subtree is removed, maintaining the same semantics without recursion [1]. The patch has been backported to multiple stable kernel trees [2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.36.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:2.6.36:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/33959a491e9fd557abfa5fce5ae4637d400915d3nvdPatch
- git.kernel.org/stable/c/4fdc847b107321dec22bf8ecd6019b7af76d7886nvdPatch
- git.kernel.org/stable/c/7eade846e013cbe8d2dc4a484463aa19e6515c7fnvdPatch
- git.kernel.org/stable/c/999bd704b0b641527a5ed46f0d969deff8cfa68bnvdPatch
- git.kernel.org/stable/c/a6a941a1294ac5abe22053dc501d25aed96e48fenvdPatch
- git.kernel.org/stable/c/ab09264660f9de5d05d1ef4e225aa447c63a8747nvdPatch
- git.kernel.org/stable/c/b36a04284d0208be94e5e401409caa00e2bf1be1nvdPatch
- git.kernel.org/stable/c/ea854f032190cc9f26dc4a0e727090c89e55e342nvdPatch
News mentions
0No linked articles in our index yet.