CVE-2026-47330
Description
Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ubuntu Linux kernels contain an uninitialized variable in AppArmor notification handling that can cause incorrect caching of responses, exploitable by unprivileged local users.
Vulnerability
An uninitialized variable flags in the function knotif_update_from_uresp_perm in security/apparmor/notify.c of Ubuntu Linux kernels (versions 6.8, 7.17, 7.0) using AppArmor SAUCE patches allows unexpected behavior. The variable is used in notification handling code introduced by commit 9e91d7c53d6c. The issue is fixed by commit 9b2c6eded493fa50e7c8cd3618d7ebe1358abaab [1].
Exploitation
An unprivileged local user can trigger the bug. While the variable is never used uninitialized under normal conditions because uresp is never NULL, the lack of initialization can lead to compiler-optimized code that incorrectly caches AppArmor notification responses [1].
Impact
A successful exploit can result in the incorrect caching of AppArmor notification responses, potentially causing denial of service or minor security policy bypass. The CVSS v3 score is 3.3 (Low) [1].
Mitigation
Apply the fix in commit 9b2c6eded493fa50e7c8cd3618d7ebe1358abaab by updating to a patched kernel version. No workaround is available [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Uninitialized stack variable `flags` in `knotif_update_from_uresp_perm()` can be used before being assigned a value."
Attack vector
An unprivileged local attacker triggers the AppArmor notification handling code path that calls `knotif_update_from_uresp_perm()` [ref_id=1]. When `uresp` is NULL, the variable `flags` is never assigned but is still read by subsequent code, leading to undefined behavior. This can result in incorrect caching of AppArmor notification responses, potentially causing the kernel to apply stale or wrong permission flags for subsequent access decisions.
Affected code
The bug is in `security/apparmor/notify.c` in the function `knotif_update_from_uresp_perm()` [ref_id=1]. The uninitialized variable is `u16 flags` at line 658 of the patched file.
What the fix does
The patch initializes `flags` to `0` at declaration (`u16 flags = 0;`) in `security/apparmor/notify.c` [ref_id=1]. This ensures that when `uresp` is NULL (and the `if (uresp)` block is skipped), `flags` has a well-defined value instead of stack garbage. The commit message notes that while the variable is "never used while uninitialized because `uresp` is never NULL" in practice, LLVM/clang fails to build due to the uninitialized warning, and the fix also closes a latent bug if that assumption ever changes.
Preconditions
- authAttacker must be an unprivileged local user
- configSystem must be running an Ubuntu kernel with the AppArmor SAUCE patches for notification handling (prompt/reply feature)
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.