VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 28, 2026

CVE-2026-47332

CVE-2026-47332

Description

Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A size validation bug in Ubuntu's AppArmor SAUCE patches for kernels 6.8, 6.17, and 7.0 allows local unprivileged users to read adjacent kernel memory via notification handling.

Vulnerability

In Ubuntu Linux kernels 6.8, 6.17, and 7.0 (with AppArmor SAUCE patches), the notify_set_filter function in security/apparmor/apparmorfs.c incorrectly validates the size of the user-provided filter structure. The check if (size < sizeof(unotif)) uses sizeof(unotif) which returns the size of a pointer (8 bytes on 64-bit) instead of sizeof(*unotif), the size of struct apparmor_notif_filter. This allows an attacker to supply a size smaller than the required struct, leading to an out-of-bounds read when the kernel dereferences contents beyond the allocated buffer [1].

Exploitation

An unprivileged local user with access to the AppArmor notification interface can trigger the bug. The attacker calls the AA_NOTIF_SET_FILTER operation and provides a size that passes the insufficient check but is smaller than the struct size. The kernel then allocates an undersized buffer with kzalloc and subsequently reads beyond it when processing the notification filter. No additional privileges or user interaction beyond invoking the system call are required [1].

Impact

Successful exploitation results in information disclosure from adjacent slab objects in kernel memory. The attacker can read sensitive data (e.g., kernel pointers, other process data) that may aid in further attacks. The bug does not allow code execution or privilege escalation directly, but the leaked information could be used to bypass KASLR or other mitigations.

Mitigation

The fix was committed by Canonical in commit 0418e5f61b55 [1] on 2026-04-22 and is expected to be included in updated kernel packages. Users should apply the latest security updates from Ubuntu for their affected kernel version (6.8, 6.17, or 7.0). As a workaround, if not yet patched, administrators can restrict access to the AppArmor notification interface by limiting the apparmorfs mount or using suitable permissions. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.

References
  1. ~ubuntu-kernel/ubuntu/+source/linux/+git/noble - [no description]

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use of `sizeof(pointer)` instead of `sizeof(struct)` in a size validation check allows undersized allocation leading to out-of-bounds read."

Attack vector

An unprivileged local user can trigger the bug by writing a crafted notification filter size to the AppArmor notification interface. The `notify_set_filter()` function uses `sizeof(unotif)` (the size of a pointer, typically 8 bytes on 64-bit systems) instead of `sizeof(*unotif)` (the size of `struct apparmor_notif_filter`). This allows a small-but-valid size value to pass the check, causing `kzalloc()` to allocate a buffer smaller than the actual structure. Subsequent operations on that buffer can read out-of-bounds from adjacent slab memory, disclosing sensitive kernel information [ref_id=1].

Affected code

The bug is in `security/apparmor/apparmorfs.c` in the `notify_set_filter()` function. The patch shows a one-line fix changing `sizeof(unotif)` to `sizeof(*unotif)` on the size validation check at line 732 of the original file.

What the fix does

The fix changes `sizeof(unotif)` to `sizeof(*unotif)` so the size check compares against the actual struct size (`struct apparmor_notif_filter`) rather than the pointer size. This ensures that any allocation smaller than the required structure is rejected with `-EINVAL`, preventing the out-of-bounds read. The commit message confirms the intent was to validate against the struct size, not the pointer size [ref_id=1].

Preconditions

  • authAttacker must have local unprivileged user access to the system
  • configThe AppArmor notification interface must be accessible (present in kernels with the SAUCE patches)
  • inputAttacker must be able to write to the AppArmor notification filter control file

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.