VYPR
← All advisories
Medium severity6.1NVD Advisory· Published May 28, 2026

CVE-2026-47328

CVE-2026-47328

Description

Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory management bug in Ubuntu's AppArmor SAUCE patches can be triggered by an unprivileged local user, leading to slab corruption and resource exhaustion.

Vulnerability

In Ubuntu Linux kernels 6.8, 6.17, and 7.0, the AppArmor SAUCE patches contain a memory management flaw in security/apparmor/notify.c within the knotif_update_from_uresp_name function. When kstrdup succeeds, the code incorrectly checks the variable name instead of the newly allocated glob pointer. Additionally, if the subsequent aa_dup_audit_data call fails, the code calls kfree(name) on a pointer that was not allocated via kmalloc, while also leaking the memory allocated for glob. This bug is introduced by commit c723113f3acf and affects the named kernel versions [1].

Exploitation

An unprivileged local user can trigger the bug by sending a crafted request that causes the knotif_update_from_uresp_name function to be invoked. The attacker does not require any special privileges or authentication beyond local access. The exact sequence involves the kernel path where kstrdup succeeds but aa_dup_audit_data fails, leading to the erroneous kfree(name) and the memory leak of glob [1].

Impact

Successful exploitation results in corruption of slab metadata due to the kfree of a non-kmalloc'd pointer, which can cause system instability or denial of service. Additionally, the memory leak of glob can lead to resource exhaustion over time. The attacker gains no code execution or privilege escalation directly, but the system may become unreliable or crash [1].

Mitigation

The fix is provided in commit 7f3c4902c39432ce7ea0d384cb70eba282247fac in the Ubuntu kernel repository, which corrects the pointer checks and ensures proper kfree of glob. Users should apply the updated kernel package once it is released for their Ubuntu version. No workaround is documented; updating to the patched kernel is the recommended mitigation [1].

References
  1. ~ubuntu-kernel/ubuntu/+source/linux/+git/noble - [no description]

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Incorrect pointer variable used in NULL-check and kfree after kstrdup in AppArmor notify.c leads to use of unallocated memory, slab corruption, and memory leak."

Attack vector

An unprivileged local user triggers the AppArmor notification path that calls `knotif_update_from_uresp_name`. When `kstrdup` fails (returns NULL), the code checks `!name` (which is the original argument, not the NULL return) and proceeds to use a NULL `glob` pointer, leading to a NULL-pointer dereference or use of freed memory. Separately, when `kstrdup` succeeds but `aa_dup_audit_data` fails, the code calls `kfree(name)` on a stack or otherwise non-kmalloc'd pointer, corrupting slab metadata. The same failure path also leaks the `glob` allocation because it is never freed [ref_id=1].

Affected code

The bug is in `security/apparmor/notify.c` in the function `knotif_update_from_uresp_name`. The patch shows two errors: (1) the NULL check after `kstrdup()` tests the original `name` pointer instead of the newly allocated `glob` pointer; (2) on the `!clone` failure path, `kfree(name)` is called on a pointer that was not allocated by `kmalloc`, when the intended target was `kfree(glob)` [ref_id=1].

What the fix does

The patch corrects the NULL check from `if (!name)` to `if (!glob)`, so that a failed `kstrdup` is properly detected and the function returns `-ENOMEM` after releasing the `clone` reference. It also changes the `kfree` on the `!clone` failure path from `kfree(name)` to `kfree(glob)`, ensuring the correct dynamically-allocated pointer is freed and the memory leak is closed [ref_id=1].

Preconditions

  • authAttacker must be a local unprivileged user on an Ubuntu system running kernel 6.8, 6.17, or 7.0 with the AppArmor SAUCE patches applied.
  • configThe AppArmor notification path (knotif_update_from_uresp_name) must be reachable, which requires AppArmor to be active and the relevant notification mechanism to be triggered.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.