Bug 2481959 (CVE-2026-45966)

Summary: CVE-2026-45966 kernel: apparmor: fix NULL pointer dereference in __unix_needs_revalidation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the AppArmor security module within the Linux kernel. This vulnerability occurs when the system processes file descriptors, which are references to open files or other I/O resources, using a specific inter-process communication mechanism called SCM_RIGHTS. A missing check for null pointers during this process can allow a local attacker to cause a kernel crash, resulting in a Denial of Service (DoS) for the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-27 15:04:21 UTC 
In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix NULL pointer dereference in __unix_needs_revalidation

When receiving file descriptors via SCM_RIGHTS, both the socket pointer
and the socket's sk pointer can be NULL during socket setup or teardown,
causing NULL pointer dereferences in __unix_needs_revalidation().

This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new
__unix_needs_revalidation() function was added without proper NULL checks.

The crash manifests as:
  BUG: kernel NULL pointer dereference, address: 0x0000000000000018
  RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0)
  Call Trace:
   apparmor_file_receive+0x42/0x80
   security_file_receive+0x2e/0x50
   receive_fd+0x1d/0xf0
   scm_detach_fds+0xad/0x1c0

The function dereferences sock->sk->sk_family without checking if either
sock or sock->sk is NULL first.

Add NULL checks for both sock and sock->sk before accessing sk_family.
Comment 1 Keith Grant 2026-05-27 23:01:08 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052735-CVE-2026-45966-3a47@gregkh/T