CVE-2026-47326
Description
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in Ubuntu Linux 6.8, 6.17, and 7.0 handling big AppArmor notification responses can be triggered by an unprivileged local user, leading to resource exhaustion.
Vulnerability
A memory leak exists in the notify_user_response function in security/apparmor/apparmorfs.c of the Ubuntu Linux kernel (versions 6.8, 6.17, and 7.0) when handling large responses to AppArmor notifications. The bug is an inverted NULL check after calling aa_get_buffer(false). When allocating a big response buffer succeeds, the code incorrectly returns -ENOMEM without freeing the allocated buffer, causing a memory leak [1]. The affected code path is reachable when an unprivileged local user sends a large response to an AppArmor notification, as part of the SAUCE patches that add prompt functionality for AppArmor 4.0.0 [1].
Exploitation
An attacker must have local unprivileged access to the system and the ability to interact with the AppArmor notification interface (e.g., via apparmorfs). By sending a big response (larger than the fixed-size uresp structure) to an AppArmor notification, the kernel enters the affected code path, allocates a buffer via aa_get_buffer(false), but due to the inverted conditional, immediately returns -ENOMEM without ever freeing that buffer [1]. Repeatedly triggering this operation causes a sustained memory leak.
Impact
Successful exploitation of this memory leak results in gradual exhaustion of kernel memory on the target system. Over time, this can lead to denial of service (resource exhaustion), as system processes may run out of memory [1]. There is no privilege escalation or disclosure of confidential information—the impact is limited to availability.
Mitigation
The fix was committed on 2026-04-22 and is included in updated kernel packages for Ubuntu Linux 6.8, 6.17, and 7.0, as seen in commit 8d858ecb7e2e216ca2987302a04c266f2355fefe [1]. Users should apply the latest kernel updates from Ubuntu's repositories. The fix corrects the NULL check (if (!big_resp) instead of if (big_resp)) ensuring that -ENOMEM is returned only when allocation fails, and that the buffer is properly freed on other errors [1]. No workarounds are documented; the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of publication.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 6.8, 6.17, 7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Inverted NULL check after buffer allocation causes the kernel to leak the buffer and return -ENOMEM when allocation succeeds instead of when it fails."
Attack vector
An unprivileged local user can trigger the bug by sending a large response to an AppArmor notification (a "big response") that causes the kernel to allocate a buffer via `aa_get_buffer`. Because the NULL check is inverted, the kernel returns `-ENOMEM` when the allocation actually succeeds, leaking the allocated buffer. Repeated triggers exhaust kernel memory, leading to denial of service [ref_id=1].
Affected code
The bug is in `security/apparmor/apparmorfs.c` in the function `notify_user_response`. The patch shows a one-line fix in the handling of large notification responses that require an allocated buffer via `aa_get_buffer`.
What the fix does
The patch inverts the NULL check on the pointer returned by `aa_get_buffer(false)` from `if (big_resp)` to `if (!big_resp)`. The original code returned `-ENOMEM` when the allocation succeeded, leaking the buffer. The corrected code returns `-ENOMEM` only when the allocation actually fails, which is the intended behavior [ref_id=1].
Preconditions
- configAttacker must be a local unprivileged user on an affected Ubuntu kernel (6.8, 6.17, or 7.0) with the SAUCE AppArmor notification patches.
- inputAttacker must be able to send large responses to AppArmor notifications (requires some interaction with AppArmor, which is typically enabled by default on Ubuntu).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.