CVE-2026-47333
Description
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An incorrect buffer size calculation in AppArmor notification handling leads to heap out-of-bounds read, exploitable by unprivileged local users on Ubuntu Linux 6.8, 6.17, and 7.0.
Vulnerability
In Ubuntu Linux kernels 6.8, 6.17, and 7.0, the AppArmor notification handling function notify_set_filter in security/apparmor/apparmorfs.c incorrectly calculates the size parameter passed to aa_dfa_unpack. The original expression size - ((void *) unotif - pos) should have been size - unotif->filter, causing a heap memory out-of-bounds read when unpacking the DFA policy engine [1].
Exploitation
An unprivileged local user can trigger the vulnerability by providing a crafted notification filter via the AppArmor interface. No additional authentication or privileges are required beyond local access. The user must invoke the notify_set_filter operation, which is accessible through standard system calls. By supplying a specially crafted DFA filter, the incorrect size calculation causes aa_dfa_unpack to read beyond the allocated buffer boundary.
Impact
Successful exploitation results in a heap out-of-bounds read, allowing the attacker to access invalid memory data that is subsequently processed by the AppArmor DFA policy engine. This can lead to information disclosure (e.g., leaking kernel memory) or cause system instability, potentially resulting in a denial of service. The attacker does not gain elevated privileges but can corrupt the policy engine's operation.
Mitigation
The fix is provided in commit 635fa30ed9e9 in the Ubuntu kernel repository [1]. Users should update to a kernel version containing this commit. As of the publication date (2026-05-28), the fix is available in the kernel source and will be included in subsequent official updates. No workaround exists; applying the kernel update is the only mitigation.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=6.8,<=7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incorrect arithmetic in buffer size calculation for aa_dfa_unpack() causes a heap out-of-bounds read."
Attack vector
An unprivileged local user triggers the bug by calling the `notify_set_filter` operation on an AppArmor notification listener. The kernel incorrectly computes the buffer size passed to `aa_dfa_unpack()`, using an addition where a subtraction was intended [ref_id=1]. This causes `aa_dfa_unpack()` to read beyond the allocated heap buffer, leading to an out-of-bounds read. The invalid data is then processed by the AppArmor DFA policy engine, which can result in information disclosure or potentially arbitrary code execution [CWE-125].
Affected code
The bug is in `security/apparmor/apparmorfs.c` in the `notify_set_filter` function. The faulty line calculates the size argument to `aa_dfa_unpack()` as `size - ((void *) unotif - pos)`, which computes the size as `size + filter` instead of the intended `size - filter` [ref_id=1]. The patch changes this to `size - unotif->filter`, where `filter` is the offset into the notification filter DFA within the `notif` struct [ref_id=1].
What the fix does
The patch changes the size calculation in `notify_set_filter()` from `size - ((void *) unotif - pos)` to `size - unotif->filter` [ref_id=1]. The original expression computed `size + filter` (since `(void *)unotif - pos` equals the offset, and subtracting a negative offset adds), causing `aa_dfa_unpack()` to read past the allocated buffer. The corrected expression uses the `filter` field directly, which holds the offset into the notification struct, so the remaining buffer size is properly computed as `size - filter` [ref_id=1].
Preconditions
- configAttacker must be a local unprivileged user on an affected Ubuntu kernel (6.8, 6.17, or 7.0) with the AppArmor SAUCE notification filtering patches
- inputAttacker must be able to invoke the notify_set_filter operation on an AppArmor notification listener
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.