VYPR
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45884

CVE-2026-45884

Description

In the Linux kernel, the following vulnerability has been resolved:

apparmor: avoid per-cpu hold underflow in aa_get_buffer

When aa_get_buffer() pulls from the per-cpu list it unconditionally decrements cache->hold. If hold reaches 0 while count is still non-zero, the unsigned decrement wraps to UINT_MAX. This keeps hold non-zero for a very long time, so aa_put_buffer() never returns buffers to the global list, which can starve other CPUs and force repeated kmalloc(aa_g_path_max) allocations.

Guard the decrement so hold never underflows.

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.