Bug 2481959 (CVE-2026-45966) - CVE-2026-45966 kernel: apparmor: fix NULL pointer dereference in __unix_needs_revalidation
Summary: CVE-2026-45966 kernel: apparmor: fix NULL pointer dereference in __unix_needs...
Keywords:
Status: NEW
Alias: CVE-2026-45966
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:04 UTC by OSIDB Bzimport
Modified: 2026-05-27 23:02 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:04:21 UTC 
In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix NULL pointer dereference in __unix_needs_revalidation

When receiving file descriptors via SCM_RIGHTS, both the socket pointer
and the socket's sk pointer can be NULL during socket setup or teardown,
causing NULL pointer dereferences in __unix_needs_revalidation().

This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new
__unix_needs_revalidation() function was added without proper NULL checks.

The crash manifests as:
  BUG: kernel NULL pointer dereference, address: 0x0000000000000018
  RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0)
  Call Trace:
   apparmor_file_receive+0x42/0x80
   security_file_receive+0x2e/0x50
   receive_fd+0x1d/0xf0
   scm_detach_fds+0xad/0x1c0

The function dereferences sock->sk->sk_family without checking if either
sock or sock->sk is NULL first.

Add NULL checks for both sock and sock->sk before accessing sk_family.
Comment 1 Keith Grant 2026-05-27 23:01:08 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052735-CVE-2026-45966-3a47@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.