CVE-2026-47331
Description
Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Ubuntu's AppArmor SAUCE patches allows unprivileged local users to trigger a use-after-free, potentially leading to arbitrary code execution.
Vulnerability
In Ubuntu Linux 6.8, the AppArmor SAUCE patches (introduced by commit 9e91d7c53d6c) contain a race condition where the rules linked list in struct aa_profile is modified without holding a lock. This can cause list corruption on concurrent access, leading to a use-after-free (UAF). The affected code path is in the knotif_update_from_uresp_name function, which modifies the list without synchronization. The fix adds a rules_lock spinlock to protect the list [1].
Exploitation
An unprivileged local user can exploit this race condition by triggering concurrent modifications to the rules list, for example by sending multiple responses to AppArmor notifications. The race window exists in the knotif_update_from_uresp_name function where the list is updated without holding the lock. No special privileges or user interaction beyond local access are required to initiate the race.
Impact
Successful exploitation results in a use-after-free condition, which can be leveraged to achieve arbitrary code execution in kernel context. This gives the attacker full control over the system, including the ability to read sensitive data, modify system state, and execute arbitrary commands with root privileges.
Mitigation
The fix is provided in commit 5e5cd4759b63363373faf1ce15d1cab3606d6ec8 in the Ubuntu kernel repository [1]. Users should update to a kernel version that includes this commit. As of the publication date (2026-05-28), the fix is available in the Ubuntu noble branch. No workarounds have been disclosed. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=6.8
- Range: 6.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing lock acquisition when modifying the `profile->rules` linked list allows a race condition leading to use-after-free."
Attack vector
An unprivileged local user can trigger a race condition by concurrently triggering AppArmor prompt/notification operations that modify the `profile->rules` linked list. Because the list was modified without holding a lock [ref_id=1], concurrent access can cause list corruption or a use-after-free. The attacker needs only local unprivileged access (AV:L/AC:L/PR:L) and no special configuration, as the race occurs in normal AppArmor profile rule update paths.
Affected code
The vulnerability is in the AppArmor SAUCE patches in Ubuntu's Linux 6.8 kernel. The `knotif_update_from_uresp_name()` function in the AppArmor prompt/notification code modifies `profile->rules` (a linked list) without holding a lock, while other code paths may concurrently access the same list. The patch adds a `rules_lock` spinlock to `struct aa_profile` and acquires it around the list modification in `knotif_update_from_uresp_name()`.
What the fix does
The patch adds a `spinlock_t rules_lock` field to `struct aa_profile`, initializes it in `aa_alloc_profile()`, and wraps the critical section in `knotif_update_from_uresp_name()` with `spin_lock()`/`spin_unlock()` calls. It also changes `list_add_tail_entry()` to `list_add_tail_rcu()` for safe RCU-list concurrent access. The commit message explicitly notes that `profiles->rules was being modified without holding a lock, which could cause list corruption on concurrent access, or an use-after-free` [ref_id=1].
Preconditions
- authLocal unprivileged user access to the system
- inputAbility to trigger concurrent AppArmor prompt/notification operations that modify profile rules
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.