VYPR
← All advisories
Low severity3.3NVD Advisory· Published May 28, 2026

CVE-2026-47336

CVE-2026-47336

Description

Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An uninitialized variable in Ubuntu's AppArmor socket mediation can cause incorrect network access control for unprivileged local users.

Vulnerability

A use of an uninitialized variable exists in the AppArmor AF_INET/AF_INET6 socket mediation code in Ubuntu Linux 6.8 with SAUCE patches. In the profile_opt_perm function within security/apparmor/af_inet.c, the variable l was incorrectly initialized with its own value (__be16 l = htons(l);) instead of the intended level parameter (__be16 l = htons(level);). This bug affects the fine-grained IPv4/IPv6 mediation introduced by commit 11bd800e8f52. The flaw is present in Ubuntu kernels that include the SAUCE patch set for AppArmor 4.0.0 [1].

Exploitation

An unprivileged local user can trigger the vulnerable code path by performing network socket operations that require AppArmor mediation, such as creating or manipulating AF_INET or AF_INET6 sockets. No authentication or special privileges are required beyond local access. The uninitialized variable leads to undefined behavior, which may cause the mediation logic to use an arbitrary value for the socket option level, potentially resulting in incorrect policy enforcement [1].

Impact

Successful exploitation could result in incorrect fine-grained mediation of network sockets, meaning that AppArmor policies may not be properly applied to IPv4/IPv6 socket operations. This could allow an attacker to bypass intended access controls, either permitting network actions that should be denied or blocking legitimate actions. The severity is rated Low (CVSS 3.3) due to the requirement for local access and the limited scope of the bypass [1].

Mitigation

The issue is fixed in commit f37c6a70fe7b435322c334554002809a4e7b7293, authored by Georgia Garcia on 2026-04-23 and included in Ubuntu kernel updates. Users should update to the latest kernel package that contains this fix. No workaround is available; updating the kernel is the recommended mitigation [1].

References
  1. ~ubuntu-kernel/ubuntu/+source/linux/+git/noble - [no description]

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use of uninitialized variable: `l` was initialized with its own uninitialized value instead of the intended `level` parameter."

Attack vector

An unprivileged local user can trigger this bug by making network socket option calls that reach the AppArmor `profile_opt_perm` function for AF_INET/AF_INET6 sockets. Because `l` is initialized from its own uninitialized value, the subsequent mediation logic operates on garbage data, which may cause the access check to incorrectly allow or deny a socket operation that should have been mediated differently [ref_id=1]. The CVSS vector confirms the attacker needs local access and low privileges (AV:L/AC:L/PR:L).

Affected code

The bug is in `security/apparmor/af_inet.c` in the function `profile_opt_perm`. The variable `l` was initialized with its own uninitialized value (`htons(l)`) instead of the intended `level` parameter (`htons(level)`) [ref_id=1].

What the fix does

The patch changes `__be16 l = htons(l);` to `__be16 l = htons(level);` in `profile_opt_perm` [ref_id=1]. This ensures the variable `l` is initialized from the correct `level` parameter (the socket option level, e.g. SOL_SOCKET, IPPROTO_TCP) rather than from its own uninitialized stack value. The commit message explicitly states: "The variable l was being initialized with its own value, while the intended target was level" [ref_id=1].

Preconditions

  • authAttacker must have a local user account on the system (unprivileged).
  • configAppArmor must be enabled with fine-grained IPv4/IPv6 socket mediation rules (the SAUCE patch set).
  • inputAttacker must be able to trigger AF_INET or AF_INET6 socket option calls that reach the profile_opt_perm function.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.