Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45965

Description

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix invalid deref of rawdata when export_binary is unset

If the export_binary parameter is disabled on runtime, profiles that were loaded before that will still have their rawdata stored in apparmorfs, with a symbolic link to the rawdata on the policy directory. When one of those profiles are replaced, the rawdata is set to NULL, but when trying to resolve the symbolic links to rawdata for that profile, it will try to dereference profile->rawdata->name when profile->rawdata is now NULL causing an oops. Fix it by checking if rawdata is set.

[ 168.653080] BUG: kernel NULL pointer dereference, address: 0000000000000088 [ 168.657420] #PF: supervisor read access in kernel mode [ 168.660619] #PF: error_code(0x0000) - not-present page [ 168.663613] PGD 0 P4D 0 [ 168.665450] Oops: Oops: 0000 [#1] SMP NOPTI [ 168.667836] CPU: 1 UID: 0 PID: 1729 Comm: ls Not tainted 6.19.0-rc7+ #3 PREEMPT(voluntary) [ 168.672308] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 168.679327] RIP: 0010:rawdata_get_link_base.isra.0+0x23/0x330 [ 168.682768] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 18 48 89 55 d0 48 85 ff 0f 84 e3 01 00 00 <48> 83 3c 25 88 00 00 00 00 0f 84 d4 01 00 00 49 89 f6 49 89 cc e8 [ 168.689818] RSP: 0018:ffffcdcb8200fb80 EFLAGS: 00010282 [ 168.690871] RAX: ffffffffaee74ec0 RBX: 0000000000000000 RCX: ffffffffb0120158 [ 168.692251] RDX: ffffcdcb8200fbe0 RSI: ffff88c187c9fa80 RDI: ffff88c186c98a80 [ 168.693593] RBP: ffffcdcb8200fbc0 R08: 0000000000000000 R09: 0000000000000000 [ 168.694941] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88c186c98a80 [ 168.696289] R13: 00007fff005aaa20 R14: 0000000000000080 R15: ffff88c188f4fce0 [ 168.697637] FS: 0000790e81c58280(0000) GS:ffff88c20a957000(0000) knlGS:0000000000000000 [ 168.699227] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 168.700349] CR2: 0000000000000088 CR3: 000000012fd3e000 CR4: 0000000000350ef0 [ 168.701696] Call Trace: [ 168.702325] [ 168.702995] rawdata_get_link_data+0x1c/0x30 [ 168.704145] vfs_readlink+0xd4/0x160 [ 168.705152] do_readlinkat+0x114/0x180 [ 168.706214] __x64_sys_readlink+0x1e/0x30 [ 168.708653] x64_sys_call+0x1d77/0x26b0 [ 168.709525] do_syscall_64+0x81/0x500 [ 168.710348] ? do_statx+0x72/0xb0 [ 168.711109] ? putname+0x3e/0x80 [ 168.711845] ? __x64_sys_statx+0xb7/0x100 [ 168.712711] ? x64_sys_call+0x10fc/0x26b0 [ 168.713577] ? do_syscall_64+0xbf/0x500 [ 168.714412] ? do_user_addr_fault+0x1d2/0x8d0 [ 168.715404] ? irqentry_exit+0xb2/0x740 [ 168.716359] ? exc_page_fault+0x90/0x1b0 [ 168.717307] entry_SYSCALL_64_after_hwframe+0x76/0x7e

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, an AppArmor NULL pointer dereference in rawdata_get_link_base occurs when export_binary is disabled and a profile is replaced, leading to a kernel oops.

Vulnerability

The vulnerability resides in the AppArmor LSM's rawdata_get_link_base function in the Linux kernel. When the /sys/kernel/security/apparmor/ export_binary parameter is disabled at runtime, profiles loaded before the disablement retain their rawdata in apparmorfs with a symbolic link. If a profile that still has a rawdata symlink is replaced, the rawdata pointer is set to NULL, but subsequent resolution of the symbolic link attempts to dereference profile->rawdata->name, causing a NULL pointer dereference and kernel oops. Affected versions include Linux kernel 6.19-rc7 and likely earlier kernels that have AppArmor support.

Exploitation

An attacker needs to have privileges to replace an AppArmor profile (e.g., root or CAP_MAC_ADMIN) and the system must have the export_binary parameter disabled. The attacker would trigger a profile replacement (e.g., via apparmor_parser -r) on a profile that was loaded before export_binary was disabled. When any user or process (e.g., ls) accesses the symbolic link in the policy directory, the kernel crashes.

Impact

The attacker can cause a denial of service via a kernel NULL pointer dereference and crash (oops). This results in system instability or downtime. There is no information disclosure or privilege escalation; the impact is limited to availability.

Mitigation

The fix is implemented in commit b25298e89a2 in the Linux kernel stable tree [1]. It adds a NULL check on profile->rawdata before dereferencing. Users should apply the patch or update to a kernel version that includes the fix. A workaround is to avoid disabling export_binary if profiles need to be replaced, or to reload all profiles after disabling export_binary. The CVE is not listed in CISA KEV as of publication.

References

Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Ubuntu/Linux Kernelllm-fuzzy

Patches

b25298e89a29

apparmor: fix invalid deref of rawdata when export_binary is unset

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGeorgia GarciaJan 29, 2026Fixed in 6.6.128via kernel-cna

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

Vulnerability

Exploitation

Impact

Mitigation

Root cause

Attack vector

Affected code

What the fix does

Preconditions