CVE-2026-47334
Description
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An AppArmor SAUCE patch in Ubuntu Linux 6.8, 6.17, and 7.0 sleeps while holding a spinlock in notification handling, leading to possible kernel panic or deadlock.
Vulnerability
The vulnerability resides in the AppArmor notification handling code introduced by Ubuntu's SAUCE patches (commit 9e91d7c53d6c). The function knotif_update_from_uresp_name calls aa_clone_ruleset and aa_dup_audit_data with GFP_KERNEL flags, which allow memory allocation to sleep. However, the caller holds a spinlock (profile->rules_lock), making this context atomic and sleep-illegal. This bug affects Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 with the SAUCE patches applied. The fix changes the allocation flags to GFP_ATOMIC and passes the gfp parameter appropriately [1].
Exploitation
An unprivileged local user can trigger the bug by interacting with the AppArmor notification mechanism, causing the kernel to attempt memory allocation with sleeping allowed while a spinlock is held. This results in a kernel panic or system deadlock. No special privileges or user interaction beyond typical unprivileged access are required [1].
Impact
Successful exploitation leads to a denial of service via kernel panic or system deadlock, potentially rendering the system unavailable. The vulnerability does not appear to allow code execution or privilege escalation based on available information [1].
Mitigation
Ubuntu has addressed this issue in the kernel source commit f0e73aec23d13a9877fba096b1c2fd19f66e5313 [1]. Users should update their kernel packages to a version containing this fix. No workarounds have been published. The CVE is not known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Memory allocation with GFP_KERNEL (which can sleep) while holding a spinlock in AppArmor notification handling."
Attack vector
An unprivileged local user triggers the AppArmor notification path by sending a crafted response (via `aa_listener_unotif_response`) that reaches `knotif_update_from_uresp_name`. Because the kernel attempts to allocate memory with `GFP_KERNEL` (which can sleep) while holding a spinlock, the system may deadlock or panic. No special capabilities or network access are required — only local user access and the ability to interact with the AppArmor notification interface [ref_id=1].
Affected code
The bug is in `knotif_update_from_uresp_name` in the AppArmor notification handling code. This function calls `aa_clone_ruleset`, `aa_dup_audit_data`, and `kstrdup` with `GFP_KERNEL` while its caller holds a spinlock (`profile->rules_lock`). The patch changes these allocations to use a `gfp` parameter passed from the caller, which supplies `GFP_ATOMIC` when called under the spinlock [ref_id=1].
What the fix does
The patch propagates a `gfp_t gfp` parameter through `aa_clone_ruleset` and `knotif_update_from_uresp_name`, replacing hardcoded `GFP_KERNEL` with the caller-supplied flag. In `knotif_update_from_uresp_name`, allocations for `aa_clone_ruleset`, `aa_dup_audit_data`, and `kstrdup` now use this parameter. The caller, which holds `profile->rules_lock`, passes `GFP_ATOMIC` instead of `GFP_KERNEL`, preventing the illegal sleep while holding a spinlock [ref_id=1].
Preconditions
- authAttacker must be a local user on the system
- inputAttacker must be able to send AppArmor notification responses via the listener interface
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.