CVE-2026-23268

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix unprivileged local user can do privileged policy management<br /> <br /> An unprivileged local user can load, replace, and remove profiles by<br /> opening the apparmorfs interfaces, via a confused deputy attack, by<br /> passing the opened fd to a privileged process, and getting the<br /> privileged process to write to the interface.<br /> <br /> This does require a privileged target that can be manipulated to do<br /> the write for the unprivileged process, but once such access is<br /> achieved full policy management is possible and all the possible<br /> implications that implies: removing confinement, DoS of system or<br /> target applications by denying all execution, by-passing the<br /> unprivileged user namespace restriction, to exploiting kernel bugs for<br /> a local privilege escalation.<br /> <br /> The policy management interface can not have its permissions simply<br /> changed from 0666 to 0600 because non-root processes need to be able<br /> to load policy to different policy namespaces.<br /> <br /> Instead ensure the task writing the interface has privileges that<br /> are a subset of the task that opened the interface. This is already<br /> done via policy for confined processes, but unconfined can delegate<br /> access to the opened fd, by-passing the usual policy check.