CVE-2026-47329
Description
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A low-severity validation bypass in Ubuntu's AppArmor notification handling allows unprivileged local users to trigger crafted responses.
Vulnerability
The Ubuntu Linux kernels 6.8, 6.17, and 7.0 include SAUCE patches for AppArmor that fail to properly validate the size of the name field in notification responses. The function response_is_valid_name in security/apparmor/notify.c returns negative values on error, but due to how C interprets negative values as true, these errors are not correctly caught, leading to a validation bypass [1]. This affects only the Ubuntu kernels with the SAUCE patches for AppArmor 4.0.0 prompt features.
Exploitation
An unprivileged local user can trigger this bug by sending crafted notification responses with invalid size or offset values. The attacker must be able to interact with the AppArmor notification mechanism from user space. No special privileges or network access are required beyond local user access.
Impact
Successful exploitation could result in the kernel handling a crafted notification response that bypasses validation. The impact is limited to potential processing of invalid data; however, the severity is considered low as it primarily affects the validation logic without directly enabling privilege escalation or code execution.
Mitigation
The fix was committed on 2026-04-22 and backported to the Ubuntu kernel packages. Users should update to the latest kernel versions that include commit 9ea8b64b3ad27d0501cf711efa98077998a33b14 [1]. No workarounds are available for unpatched systems. This CVE is not listed in the Known Exploited Vulnerabilities catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A boolean-returning validation function returns negative error codes instead of false, causing C's truthy evaluation to bypass the intended validation."
Attack vector
An unprivileged local user can craft an AppArmor notification response with an invalid `name` field size or offset. The `response_is_valid_name()` function [ref_id=1] was intended to reject such malformed responses by returning `false`, but due to the bug it returned negative error codes (`-EMSGSIZE`, `-EINVAL`) which C evaluates as true. This allows the crafted response to pass validation and be processed by the kernel, potentially leading to incorrect handling of the response.
Affected code
The vulnerability is in `security/apparmor/notify.c` in the `response_is_valid_name()` function. The function was declared to return `bool` but used `return -EMSGSIZE` and `return -EINVAL` (negative integer error codes) instead of `return false`. Because C treats any non-zero value as true, these negative error returns were interpreted as "valid" by callers, bypassing the intended validation checks.
What the fix does
The patch [ref_id=1] changes all four `return` statements in `response_is_valid_name()` from returning negative error codes (`-EMSGSIZE`, `-EINVAL`) to returning `false`. Since the function is declared as `static bool`, returning `false` correctly signals validation failure to callers. The commit message explains that "due to how C interprets negative values as true, the validation of response_is_valid_name could be bypassed if invalid data was passed into that function."
Preconditions
- authAttacker must be a local unprivileged user on the system
- inputAttacker must be able to send crafted AppArmor notification responses
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.