Linux Kernel AppArmor OOB Read via DFA Start State in unpack_pdb
CVE-2026-23269 Published on March 18, 2026
apparmor: validate DFA start states are in bounds in unpack_pdb
In the Linux kernel, the following vulnerability has been resolved:
apparmor: validate DFA start states are in bounds in unpack_pdb
Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.
==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...
Reject policies with out-of-bounds start states during unpacking
to prevent the issue.
Products Associated with CVE-2026-23269
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version ad5ff3db53c68c2f12936bc74ea5dfe0af943592 and below 15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c is affected.
- Version ad5ff3db53c68c2f12936bc74ea5dfe0af943592 and below 0baadb0eece2c4d939db10d3c323b4652ac79a58 is affected.
- Version ad5ff3db53c68c2f12936bc74ea5dfe0af943592 and below 3bb7db43e32190c973d4019037cedb7895920184 is affected.
- Version ad5ff3db53c68c2f12936bc74ea5dfe0af943592 and below 9063d7e2615f4a7ab321de6b520e23d370e58816 is affected.
- Version 3.4 is affected.
- Before 3.4 is unaffected.
- Version 6.12.77, <= 6.12.* is unaffected.
- Version 6.18.18, <= 6.18.* is unaffected.
- Version 6.19.8, <= 6.19.* is unaffected.
- Version 7.0-rc4, <= * is unaffected.