CVE-2026-45966
Description
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix NULL pointer dereference in __unix_needs_revalidation
When receiving file descriptors via SCM_RIGHTS, both the socket pointer and the socket's sk pointer can be NULL during socket setup or teardown, causing NULL pointer dereferences in __unix_needs_revalidation().
This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new __unix_needs_revalidation() function was added without proper NULL checks.
The crash manifests as: BUG: kernel NULL pointer dereference, address: 0x0000000000000018 RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0) Call Trace: apparmor_file_receive+0x42/0x80 security_file_receive+0x2e/0x50 receive_fd+0x1d/0xf0 scm_detach_fds+0xad/0x1c0
The function dereferences sock->sk->sk_family without checking if either sock or sock->sk is NULL first.
Add NULL checks for both sock and sock->sk before accessing sk_family.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in AppArmor's __unix_needs_revalidation() when receiving SCM_RIGHTS file descriptors causes kernel crashes on Linux 6.17+.
Vulnerability
In the Linux kernel, a NULL pointer dereference vulnerability exists in the AppArmor security module's __unix_needs_revalidation() function, introduced in AppArmor 5.0.0 (kernel 6.17+). The function dereferences sock->sk->sk_family without first checking whether sock or sock->sk is NULL. This occurs when file descriptors are received via SCM_RIGHTS during socket setup or teardown, where either pointer can be NULL. The crash manifests as a kernel NULL pointer dereference at aa_file_perm+0xb7/0x3b0 (or similar offsets) in the call trace apparmor_file_receive -> security_file_receive -> receive_fd -> scm_detach_fds [1].
Exploitation
An attacker can trigger this vulnerability by sending file descriptors via SCM_RIGHTS over a Unix socket to a target socket that is in the process of being set up or torn down. No special privileges are required beyond the ability to create and send file descriptors over a Unix socket. The race window is narrow but exploitable; the attacker must time the delivery of the file descriptors to coincide with the socket's setup or teardown phase. No user interaction is needed beyond the attacker's own actions.
Impact
Successful exploitation results in a kernel NULL pointer dereference, causing a denial of service (system crash or hang). The vulnerability does not appear to allow privilege escalation or information disclosure; the primary impact is availability loss. The crash is immediate and can be triggered repeatedly.
Mitigation
The fix is available in the Linux kernel stable commit fea017a7f6abe179decf575a2d8464c74edb3964 [1], which adds NULL checks for both sock and sock->sk before accessing sk_family. Users should apply this patch or update to a kernel version that includes it. No workaround is available for unpatched systems; the only mitigation is to avoid receiving file descriptors over Unix sockets during socket setup/teardown, which is impractical. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
6fea017a7f6abapparmor: fix NULL pointer dereference in __unix_needs_revalidation
1 file changed · +3 −1
security/apparmor/file.c+3 −1 modifieddiff --git a/security/apparmor/file.c b/security/apparmor/file.c index c758204028780f..919dbbbc87ab62 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -578,6 +578,9 @@ static bool __unix_needs_revalidation(struct file *file, struct aa_label *label, return false; if (request & NET_PEER_MASK) return false; + /* sock and sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return false; if (sock->sk->sk_family == PF_UNIX) { struct aa_sk_ctx *ctx = aa_sock(sock->sk); -- cgit 1.3-korg
e85bc9101afcapparmor: fix NULL pointer dereference in __unix_needs_revalidation
1 file changed · +3 −1
security/apparmor/file.c+3 −1 modifieddiff --git a/security/apparmor/file.c b/security/apparmor/file.c index c758204028780f..919dbbbc87ab62 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -578,6 +578,9 @@ static bool __unix_needs_revalidation(struct file *file, struct aa_label *label, return false; if (request & NET_PEER_MASK) return false; + /* sock and sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return false; if (sock->sk->sk_family == PF_UNIX) { struct aa_sk_ctx *ctx = aa_sock(sock->sk); -- cgit 1.3-korg
e2938ad00b21apparmor: fix NULL pointer dereference in __unix_needs_revalidation
1 file changed · +3 −1
security/apparmor/file.c+3 −1 modifieddiff --git a/security/apparmor/file.c b/security/apparmor/file.c index c758204028780f..919dbbbc87ab62 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -578,6 +578,9 @@ static bool __unix_needs_revalidation(struct file *file, struct aa_label *label, return false; if (request & NET_PEER_MASK) return false; + /* sock and sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return false; if (sock->sk->sk_family == PF_UNIX) { struct aa_sk_ctx *ctx = aa_sock(sock->sk); -- cgit 1.3-korg
e85bc9101afcapparmor: fix NULL pointer dereference in __unix_needs_revalidation
1 file changed · +3 −1
security/apparmor/file.c+3 −1 modifieddiff --git a/security/apparmor/file.c b/security/apparmor/file.c index c758204028780f..919dbbbc87ab62 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -578,6 +578,9 @@ static bool __unix_needs_revalidation(struct file *file, struct aa_label *label, return false; if (request & NET_PEER_MASK) return false; + /* sock and sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return false; if (sock->sk->sk_family == PF_UNIX) { struct aa_sk_ctx *ctx = aa_sock(sock->sk); -- cgit 1.3-korg
e2938ad00b21apparmor: fix NULL pointer dereference in __unix_needs_revalidation
1 file changed · +3 −1
security/apparmor/file.c+3 −1 modifieddiff --git a/security/apparmor/file.c b/security/apparmor/file.c index c758204028780f..919dbbbc87ab62 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -578,6 +578,9 @@ static bool __unix_needs_revalidation(struct file *file, struct aa_label *label, return false; if (request & NET_PEER_MASK) return false; + /* sock and sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return false; if (sock->sk->sk_family == PF_UNIX) { struct aa_sk_ctx *ctx = aa_sock(sock->sk); -- cgit 1.3-korg
fea017a7f6abapparmor: fix NULL pointer dereference in __unix_needs_revalidation
1 file changed · +3 −1
security/apparmor/file.c+3 −1 modifieddiff --git a/security/apparmor/file.c b/security/apparmor/file.c index c758204028780f..919dbbbc87ab62 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -578,6 +578,9 @@ static bool __unix_needs_revalidation(struct file *file, struct aa_label *label, return false; if (request & NET_PEER_MASK) return false; + /* sock and sock->sk can be NULL for sockets being set up or torn down */ + if (!sock || !sock->sk) + return false; if (sock->sk->sk_family == PF_UNIX) { struct aa_sk_ctx *ctx = aa_sock(sock->sk); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL pointer checks for `sock` and `sock->sk` in `__unix_needs_revalidation()` before dereferencing `sock->sk->sk_family`."
Attack vector
An attacker can trigger this NULL pointer dereference by sending file descriptors via `SCM_RIGHTS` over a Unix socket while the receiving socket is in a transient setup or teardown state [patch_id=2660901]. The crash path is `scm_detach_fds` → `receive_fd` → `security_file_receive` → `apparmor_file_receive` → `aa_file_perm` → `__unix_needs_revalidation`, where the function accesses `sock->sk->sk_family` without checking whether `sock` or `sock->sk` is NULL [patch_id=2660901]. No special privileges are required beyond the ability to send file descriptors over a Unix socket.
Affected code
The vulnerable function is `__unix_needs_revalidation()` in `security/apparmor/file.c` [patch_id=2660901]. The function was added in AppArmor 5.0.0 (kernel 6.17+) as part of commit 88fec3526e841 and dereferences `sock->sk->sk_family` without NULL checks [patch_id=2660901].
What the fix does
The patch adds a guard clause `if (!sock || !sock->sk) return false;` at the beginning of `__unix_needs_revalidation()` in `security/apparmor/file.c` [patch_id=2660901]. This ensures that when a socket is still being set up or has already been torn down — making either `sock` or `sock->sk` NULL — the function returns early without dereferencing the NULL pointer. The comment in the patch explicitly documents that both pointers can be NULL for sockets being set up or torn down [patch_id=2660901].
Preconditions
- configThe system must be running a kernel with AppArmor 5.0.0 (kernel 6.17+) that includes the __unix_needs_revalidation() function.
- inputAn attacker must be able to send file descriptors via SCM_RIGHTS over a Unix socket to a socket that is in a transient setup or teardown state.
- configAppArmor must be enabled and enforcing on the system.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.