CVE-2026-45965
Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
apparmor: fix invalid deref of rawdata when export_binary is unset<br />
<br />
If the export_binary parameter is disabled on runtime, profiles that<br />
were loaded before that will still have their rawdata stored in<br />
apparmorfs, with a symbolic link to the rawdata on the policy<br />
directory. When one of those profiles are replaced, the rawdata is set<br />
to NULL, but when trying to resolve the symbolic links to rawdata for<br />
that profile, it will try to dereference profile->rawdata->name when<br />
profile->rawdata is now NULL causing an oops. Fix it by checking if<br />
rawdata is set.<br />
<br />
[ 168.653080] BUG: kernel NULL pointer dereference, address: 0000000000000088<br />
[ 168.657420] #PF: supervisor read access in kernel mode<br />
[ 168.660619] #PF: error_code(0x0000) - not-present page<br />
[ 168.663613] PGD 0 P4D 0<br />
[ 168.665450] Oops: Oops: 0000 [#1] SMP NOPTI<br />
[ 168.667836] CPU: 1 UID: 0 PID: 1729 Comm: ls Not tainted 6.19.0-rc7+ #3 PREEMPT(voluntary)<br />
[ 168.672308] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br />
[ 168.679327] RIP: 0010:rawdata_get_link_base.isra.0+0x23/0x330<br />
[ 168.682768] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 18 48 89 55 d0 48 85 ff 0f 84 e3 01 00 00 83 3c 25 88 00 00 00 00 0f 84 d4 01 00 00 49 89 f6 49 89 cc e8<br />
[ 168.689818] RSP: 0018:ffffcdcb8200fb80 EFLAGS: 00010282<br />
[ 168.690871] RAX: ffffffffaee74ec0 RBX: 0000000000000000 RCX: ffffffffb0120158<br />
[ 168.692251] RDX: ffffcdcb8200fbe0 RSI: ffff88c187c9fa80 RDI: ffff88c186c98a80<br />
[ 168.693593] RBP: ffffcdcb8200fbc0 R08: 0000000000000000 R09: 0000000000000000<br />
[ 168.694941] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88c186c98a80<br />
[ 168.696289] R13: 00007fff005aaa20 R14: 0000000000000080 R15: ffff88c188f4fce0<br />
[ 168.697637] FS: 0000790e81c58280(0000) GS:ffff88c20a957000(0000) knlGS:0000000000000000<br />
[ 168.699227] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
[ 168.700349] CR2: 0000000000000088 CR3: 000000012fd3e000 CR4: 0000000000350ef0<br />
[ 168.701696] Call Trace:<br />
[ 168.702325] <br />
[ 168.702995] rawdata_get_link_data+0x1c/0x30<br />
[ 168.704145] vfs_readlink+0xd4/0x160<br />
[ 168.705152] do_readlinkat+0x114/0x180<br />
[ 168.706214] __x64_sys_readlink+0x1e/0x30<br />
[ 168.708653] x64_sys_call+0x1d77/0x26b0<br />
[ 168.709525] do_syscall_64+0x81/0x500<br />
[ 168.710348] ? do_statx+0x72/0xb0<br />
[ 168.711109] ? putname+0x3e/0x80<br />
[ 168.711845] ? __x64_sys_statx+0xb7/0x100<br />
[ 168.712711] ? x64_sys_call+0x10fc/0x26b0<br />
[ 168.713577] ? do_syscall_64+0xbf/0x500<br />
[ 168.714412] ? do_user_addr_fault+0x1d2/0x8d0<br />
[ 168.715404] ? irqentry_exit+0xb2/0x740<br />
[ 168.716359] ? exc_page_fault+0x90/0x1b0<br />
[ 168.717307] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026