CVE-2026-47337
Description
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in Ubuntu's AppArmor AF_INET/AF_INET6 socket mediation can be triggered by an unprivileged local user, leading to a kernel oops.
Vulnerability
A NULL pointer dereference exists in Ubuntu Linux 6.8, 6.17, and 7.0 within the SAUCE patches for AppArmor's bind_map_addr function in security/apparmor/af_inet.c [1]. The bug occurs when handling AF_UNSPEC socket family: variable addr4 was used before being assigned, causing a NULL pointer dereference when validating the bind address [1]. Affected versions include those carrying the SAUCE patch that introduced the regression [1].
Exploitation
An unprivileged local user can trigger the vulnerability by creating an AF_UNSPEC socket and attempting to bind it to an IPv4 address that is not INADDR_ANY (0.0.0.0) [1]. The attacker needs no special privileges beyond local access, and no user interaction is required beyond executing the relevant system calls [1].
Impact
Successful exploitation causes a kernel oops (a type of denial of service) as the kernel attempts to dereference a NULL pointer [1]. The crash results in a local denial of service; there is no indication of privilege escalation or information disclosure from the available references [1].
Mitigation
The fix was committed by Canonical on 2026-04-23 and merged on 2026-05-22, adding the missing assignment addr4 = (struct sockaddr_in *)addr; [1]. Users should update to the patched kernel version (e.g., via Ubuntu's noble kernel repository) as soon as it becomes available [1]. No workarounds are documented in the references; the issue is trivially triggered but only leads to a crash.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use of uninitialized pointer `addr4` before assignment in the AF_UNSPEC handling path of `bind_map_addr()`."
Attack vector
An unprivileged local user can trigger this bug by calling `bind()` on an AF_INET or AF_INET6 socket with an `AF_UNSPEC` address family. When `bind_map_addr()` enters the `AF_UNSPEC` branch, `addr4` is used without prior assignment, causing a NULL pointer dereference that results in a kernel oops [ref_id=1]. No special capabilities or network access are required beyond the ability to create and manipulate sockets.
Affected code
The vulnerability is in `security/apparmor/af_inet.c` in the `bind_map_addr()` function. The code path handling `AF_UNSPEC` family used `addr4` before it was assigned, leading to a NULL pointer dereference.
What the fix does
The patch adds a single line assigning `addr4 = (struct sockaddr_in *)addr;` before the `AF_UNSPEC` branch uses `addr4->sin_addr.s_addr` [ref_id=1]. This ensures the pointer is properly initialized before dereference, closing the NULL pointer dereference. The fix was applied as a SAUCE (Ubuntu-specific) patch to the AppArmor AF_INET mediation code.
Preconditions
- authLocal unprivileged user access to the system
- inputAbility to create AF_INET or AF_INET6 sockets and call bind() with AF_UNSPEC
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.