CVE-2026-23406

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix side-effect bug in match_char() macro usage<br /> <br /> The match_char() macro evaluates its character parameter multiple<br /> times when traversing differential encoding chains. When invoked<br /> with *str++, the string pointer advances on each iteration of the<br /> inner do-while loop, causing the DFA to check different characters<br /> at each iteration and therefore skip input characters.<br /> This results in out-of-bounds reads when the pointer advances past<br /> the input buffer boundary.<br /> <br /> [ 94.984676] ==================================================================<br /> [ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760<br /> [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976<br /> <br /> [ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)<br /> [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 94.986329] Call Trace:<br /> [ 94.986341] <br /> [ 94.986347] dump_stack_lvl+0x5e/0x80<br /> [ 94.986374] print_report+0xc8/0x270<br /> [ 94.986384] ? aa_dfa_match+0x5ae/0x760<br /> [ 94.986388] kasan_report+0x118/0x150<br /> [ 94.986401] ? aa_dfa_match+0x5ae/0x760<br /> [ 94.986405] aa_dfa_match+0x5ae/0x760<br /> [ 94.986408] __aa_path_perm+0x131/0x400<br /> [ 94.986418] aa_path_perm+0x219/0x2f0<br /> [ 94.986424] apparmor_file_open+0x345/0x570<br /> [ 94.986431] security_file_open+0x5c/0x140<br /> [ 94.986442] do_dentry_open+0x2f6/0x1120<br /> [ 94.986450] vfs_open+0x38/0x2b0<br /> [ 94.986453] ? may_open+0x1e2/0x2b0<br /> [ 94.986466] path_openat+0x231b/0x2b30<br /> [ 94.986469] ? __x64_sys_openat+0xf8/0x130<br /> [ 94.986477] do_file_open+0x19d/0x360<br /> [ 94.986487] do_sys_openat2+0x98/0x100<br /> [ 94.986491] __x64_sys_openat+0xf8/0x130<br /> [ 94.986499] do_syscall_64+0x8e/0x660<br /> [ 94.986515] ? count_memcg_events+0x15f/0x3c0<br /> [ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986540] ? handle_mm_fault+0x1639/0x1ef0<br /> [ 94.986551] ? vma_start_read+0xf0/0x320<br /> [ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0<br /> [ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0<br /> [ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 94.986588] ? irqentry_exit+0x3c/0x590<br /> [ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 94.986597] RIP: 0033:0x7fda4a79c3ea<br /> <br /> Fix by extracting the character value before invoking match_char,<br /> ensuring single evaluation per outer loop.