2453798 – (CVE-2026-23408) CVE-2026-23408 kernel: apparmor: Fix double free of ns_name in aa_replace_profiles()

Bug 2453798 (CVE-2026-23408) - CVE-2026-23408 kernel: apparmor: Fix double free of ns_name in aa_replace_profiles()

Summary: CVE-2026-23408 kernel: apparmor: Fix double free of ns_name in aa_replace_pro...

Keywords:
Status:	NEW
Alias:	CVE-2026-23408
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-01 10:02 UTC by OSIDB Bzimport
Modified:	2026-04-01 13:34 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-01 10:02:20 UTC

In the Linux kernel, the following vulnerability has been resolved:

apparmor: Fix double free of ns_name in aa_replace_profiles()

if ns_name is NULL after
1071         error = aa_unpack(udata, &lh, &ns_name);

and if ent->ns_name contains an ns_name in
1089                 } else if (ent->ns_name) {

then ns_name is assigned the ent->ns_name
1095                         ns_name = ent->ns_name;

however ent->ns_name is freed at
1262                 aa_load_ent_free(ent);

and then again when freeing ns_name at
1270         kfree(ns_name);

Fix this by NULLing out ent->ns_name after it is transferred to ns_name

")

Comment 1 Alexander B 2026-04-01 13:31:12 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026040113-CVE-2026-23408-1932@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.