CVE-2026-45848
Description
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix NULL sock in aa_sock_file_perm
Deal with the potential that sock and sock-sk can be NULL during socket setup or teardown. This could lead to an oops. The fix for NULL pointer dereference in __unix_needs_revalidation shows this is at least possible for af_unix sockets. While the fix for af_unix sockets applies for newer mediation this is still the fall back path for older af_unix mediation and other sockets, so ensure it is covered.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in AppArmor's aa_sock_file_perm could cause a kernel oops during socket setup or teardown.
Vulnerability
The vulnerability is a NULL pointer dereference in the Linux kernel's AppArmor security module, specifically in the aa_sock_file_perm function. During socket setup or teardown, the sock or sock->sk pointers can be NULL, leading to a potential kernel oops. This was observed via a similar fix for __unix_needs_revalidation in af_unix sockets. The issue affects older mediation paths for af_unix and other socket types. [1][2]
Exploitation
An attacker can trigger this condition by initiating or terminating socket operations in a way that causes the AppArmor hook to be invoked with a NULL socket pointer. No special privileges are required, as socket operations are common user-space actions. The exact sequence involves entering a socket state where the sock or its associated socket is NULL, possibly through race conditions or specific ordering.
Impact
Successful exploitation leads to a kernel NULL pointer dereference, resulting in a system crash (oops) and denial of service. There is no indication of privilege escalation or arbitrary code execution; the impact is limited to availability.
Mitigation
The fix has been applied in Linux kernel stable updates. Users should apply the latest kernel updates from their distribution. The commit references are [1] and [2]. No workarounds are available besides patching. The vulnerability is not known to be exploited in the wild (no KEV listing).
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1668538ec34fcbapparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index fa0e85568450b0..fbbfedd253f69b 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -182,8 +182,10 @@ int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(label, op, request, sock->sk); } -- cgit 1.3-korg
5121b7283f1capparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index e0c1b50d6eddcb..abdce5e52b026c 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -182,8 +182,10 @@ int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(label, op, request, sock->sk); } -- cgit 1.3-korg
c11b7c3280d0apparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 7efe4d17273d94..0c980e62dbe7a2 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -183,8 +183,10 @@ int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(label, op, request, sock->sk); } -- cgit 1.3-korg
0dc19bca2260apparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 704c171232ab46..814e8319d43e04 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -190,8 +190,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(subj_cred, label, op, request, sock->sk); } -- cgit 1.3-korg
3852eb9a0392apparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 77413a5191179a..f6f749191f6017 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -190,8 +190,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(subj_cred, label, op, request, sock->sk); } -- cgit 1.3-korg
ccb66a3c6c8fapparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 45cf25605c345b..44c04102062f3d 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -326,8 +326,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, struct socket *sock = (struct socket *) file->private_data; AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; if (sock->sk->sk_family == PF_UNIX) return aa_unix_file_perm(subj_cred, label, op, request, file); -- cgit 1.3-korg
00b67657535dapparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 45cf25605c345b..44c04102062f3d 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -326,8 +326,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, struct socket *sock = (struct socket *) file->private_data; AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; if (sock->sk->sk_family == PF_UNIX) return aa_unix_file_perm(subj_cred, label, op, request, file); -- cgit 1.3-korg
8a0ededbfcffapparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 45cf25605c345b..44c04102062f3d 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -326,8 +326,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, struct socket *sock = (struct socket *) file->private_data; AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; if (sock->sk->sk_family == PF_UNIX) return aa_unix_file_perm(subj_cred, label, op, request, file); -- cgit 1.3-korg
8a0ededbfcffapparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 45cf25605c345b..44c04102062f3d 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -326,8 +326,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, struct socket *sock = (struct socket *) file->private_data; AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; if (sock->sk->sk_family == PF_UNIX) return aa_unix_file_perm(subj_cred, label, op, request, file); -- cgit 1.3-korg
c11b7c3280d0apparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 7efe4d17273d94..0c980e62dbe7a2 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -183,8 +183,10 @@ int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(label, op, request, sock->sk); } -- cgit 1.3-korg
ccb66a3c6c8fapparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 45cf25605c345b..44c04102062f3d 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -326,8 +326,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, struct socket *sock = (struct socket *) file->private_data; AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; if (sock->sk->sk_family == PF_UNIX) return aa_unix_file_perm(subj_cred, label, op, request, file); -- cgit 1.3-korg
5121b7283f1capparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index e0c1b50d6eddcb..abdce5e52b026c 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -182,8 +182,10 @@ int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(label, op, request, sock->sk); } -- cgit 1.3-korg
0dc19bca2260apparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 704c171232ab46..814e8319d43e04 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -190,8 +190,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(subj_cred, label, op, request, sock->sk); } -- cgit 1.3-korg
3852eb9a0392apparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 77413a5191179a..f6f749191f6017 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -190,8 +190,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(subj_cred, label, op, request, sock->sk); } -- cgit 1.3-korg
00b67657535dapparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index 45cf25605c345b..44c04102062f3d 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -326,8 +326,10 @@ int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, struct socket *sock = (struct socket *) file->private_data; AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; if (sock->sk->sk_family == PF_UNIX) return aa_unix_file_perm(subj_cred, label, op, request, file); -- cgit 1.3-korg
68538ec34fcbapparmor: fix NULL sock in aa_sock_file_perm
1 file changed · +4 −3
security/apparmor/net.c+4 −3 modifieddiff --git a/security/apparmor/net.c b/security/apparmor/net.c index fa0e85568450b0..fbbfedd253f69b 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -182,8 +182,10 @@ int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, struct socket *sock) { AA_BUG(!label); - AA_BUG(!sock); - AA_BUG(!sock->sk); + + /* sock && sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return 0; return aa_label_sk_perm(label, op, request, sock->sk); } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL pointer check for `sock` and `sock->sk` in `aa_sock_file_perm` allows a NULL pointer dereference during socket setup or teardown."
Attack vector
An attacker can trigger this NULL pointer dereference by causing AppArmor to mediate a socket operation (via `aa_sock_file_perm`) on a socket that is still being set up or already being torn down, where the `sock` pointer or `sock->sk` pointer is NULL. The commit message notes this is at least possible for af_unix sockets, as shown by the fix for NULL pointer dereference in `__unix_needs_revalidation`. The function is the fallback path for older af_unix mediation and other socket types, so any socket family undergoing setup/teardown while AppArmor mediation is active could trigger the oops. No authentication or special privileges beyond the ability to create and manipulate sockets are required.
Affected code
The vulnerability is in the `aa_sock_file_perm` function in `security/apparmor/net.c`. The function previously used `AA_BUG(!sock)` and `AA_BUG(!sock->sk)` assertions, which only caught NULL pointers in debug builds but did not prevent a NULL pointer dereference in production kernels. The function then unconditionally dereferenced `sock->sk` via `aa_label_sk_perm()` or `sock->sk->sk_family`, leading to a potential oops when `sock` or `sock->sk` is NULL during socket setup or teardown [patch_id=2662122].
What the fix does
The patch replaces the `AA_BUG(!sock)` and `AA_BUG(!sock->sk)` assertions with an explicit runtime NULL check: `if (!sock || !sock->sk) return 0;` [patch_id=2662122]. This ensures that when `aa_sock_file_perm` is called during socket setup or teardown with a NULL `sock` or `sock->sk`, the function returns 0 (success/permit) instead of crashing. The assertions only caught the issue in debug builds; the new check protects all kernel configurations. The comment added to the code explicitly documents that "sock && sock->sk can be NULL for sockets being set up or torn down."
Preconditions
- configAppArmor LSM must be enabled and mediating socket operations
- inputA socket must be in the middle of setup or teardown when aa_sock_file_perm is called
- authNo special privileges required beyond ability to create sockets
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/00b67657535dfea56e84d11492f5c0f61d0af297nvd
- git.kernel.org/stable/c/0dc19bca22606f7a61d5988408f74e3ae0ef3486nvd
- git.kernel.org/stable/c/3852eb9a0392eb435c03dcb47d581bcfe6a9a95bnvd
- git.kernel.org/stable/c/5121b7283f1c46e4c06b88b1dda7b064429d77denvd
- git.kernel.org/stable/c/68538ec34fcb4194c7961dc4eca6f5537fec8067nvd
- git.kernel.org/stable/c/8a0ededbfcff74598f82f1d4b8ef9db28878b317nvd
- git.kernel.org/stable/c/c11b7c3280d000376e27ebfed17ec7046699eab4nvd
- git.kernel.org/stable/c/ccb66a3c6c8f51b3ed1bc003b70bb9ff99e8d835nvd
News mentions
0No linked articles in our index yet.