2448753 – (CVE-2026-23269) CVE-2026-23269 kernel: apparmor: validate DFA start states are in bounds in unpack_pdb

Bug 2448753 (CVE-2026-23269) - CVE-2026-23269 kernel: apparmor: validate DFA start states are in bounds in unpack_pdb

Summary: CVE-2026-23269 kernel: apparmor: validate DFA start states are in bounds in u...

Keywords:
Status:	NEW
Alias:	CVE-2026-23269
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-18 19:03 UTC by OSIDB Bzimport
Modified:	2026-03-19 11:06 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-18 19:03:23 UTC

In the Linux kernel, the following vulnerability has been resolved:

apparmor: validate DFA start states are in bounds in unpack_pdb

Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.

==================================================================
 BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
 Read of size 4 at addr ffff88811956fb90 by task su/1097
 ...

Reject policies with out-of-bounds start states during unpacking
to prevent the issue.

Comment 1 Alexander B 2026-03-19 11:03:36 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23269-2bf7@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.