CVE-2026-47335
Description
Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in Ubuntu's AppArmor notification handling allows unprivileged local users to cause a kernel panic.
Vulnerability
The vulnerability resides in the aa_new_ruleset function in security/apparmor/notify.c within Ubuntu's SAUCE patches for AppArmor 4.0.0. When allocating a new ruleset via kzalloc, if the allocation fails (returns NULL), the code proceeds to initialize the list head with INIT_LIST_HEAD(&rules->list) without a NULL check, leading to a NULL pointer dereference. This affects Ubuntu Linux 6.8 kernels containing the SAUCE patch introduced in commit 9e91d7c53d6c. The fix adds a NULL check after kzalloc and returns NULL on failure [1].
Exploitation
An unprivileged local user can trigger the vulnerability by exhausting system memory or otherwise causing kzalloc to fail, then invoking the code path that calls aa_new_ruleset. No special privileges or user interaction beyond local access are required. The attacker must create conditions where memory allocation fails, which may be achievable through memory pressure or specific system configurations.
Impact
Successful exploitation results in a NULL pointer dereference, causing a kernel panic (denial of service). The system crashes, leading to loss of availability. No privilege escalation, information disclosure, or data integrity compromise is indicated by the available references.
Mitigation
The fix is available in commit 406571d530ccdbae6119fe64ce9cf5c74160f20b in the Ubuntu kernel repository, which adds the necessary NULL check [1]. This patch was authored on 2026-04-23 and merged on 2026-05-22. Users should apply the updated kernel package once released by Canonical. No workaround is documented. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog as of publication.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing NULL check after kzalloc in aa_new_ruleset() allows NULL pointer dereference."
Attack vector
An unprivileged local user can trigger this NULL pointer dereference by causing the kernel to call `aa_new_ruleset()` under memory-pressure conditions where `kzalloc()` fails and returns NULL. Because there is no NULL check on the allocation, the subsequent `INIT_LIST_HEAD()` dereferences the NULL pointer, leading to a kernel panic (denial of service). The CVSS vector confirms the attack requires local access, low privileges, and no user interaction [ref_id=1].
Affected code
The vulnerable code is in `security/apparmor/notify.c` in the `aa_new_ruleset()` function. The function calls `kzalloc()` to allocate an `aa_ruleset` struct but then unconditionally calls `INIT_LIST_HEAD(&rules->list)` without first checking whether the allocation returned NULL [ref_id=1].
What the fix does
The patch adds a NULL check immediately after the `kzalloc()` call in `aa_new_ruleset()`. If the allocation fails, the function now returns NULL instead of proceeding to dereference the NULL pointer via `INIT_LIST_HEAD()`. This is a standard defensive programming fix that prevents the kernel panic when memory cannot be allocated [ref_id=1].
Preconditions
- authAttacker must have local access to the system
- inputAttacker must be able to trigger memory pressure such that kzalloc fails in aa_new_ruleset()
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.