CVE-2026-23407

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix missing bounds check on DEFAULT table in verify_dfa()<br /> <br /> The verify_dfa() function only checks DEFAULT_TABLE bounds when the state<br /> is not differentially encoded.<br /> <br /> When the verification loop traverses the differential encoding chain,<br /> it reads k = DEFAULT_TABLE[j] and uses k as an array index without<br /> validation. A malformed DFA with DEFAULT_TABLE[j] &gt;= state_count,<br /> therefore, causes both out-of-bounds reads and writes.<br /> <br /> [ 57.179855] ==================================================================<br /> [ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660<br /> [ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993<br /> <br /> [ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)<br /> [ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 57.181563] Call Trace:<br /> [ 57.181572] <br /> [ 57.181577] dump_stack_lvl+0x5e/0x80<br /> [ 57.181596] print_report+0xc8/0x270<br /> [ 57.181605] ? verify_dfa+0x59a/0x660<br /> [ 57.181608] kasan_report+0x118/0x150<br /> [ 57.181620] ? verify_dfa+0x59a/0x660<br /> [ 57.181623] verify_dfa+0x59a/0x660<br /> [ 57.181627] aa_dfa_unpack+0x1610/0x1740<br /> [ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470<br /> [ 57.181640] unpack_pdb+0x86d/0x46b0<br /> [ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 57.181656] ? aa_unpack_nameX+0x1a8/0x300<br /> [ 57.181659] aa_unpack+0x20b0/0x4c30<br /> [ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 57.181664] ? stack_depot_save_flags+0x33/0x700<br /> [ 57.181681] ? kasan_save_track+0x4f/0x80<br /> [ 57.181683] ? kasan_save_track+0x3e/0x80<br /> [ 57.181686] ? __kasan_kmalloc+0x93/0xb0<br /> [ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780<br /> [ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130<br /> [ 57.181697] ? policy_update+0x154/0x330<br /> [ 57.181704] aa_replace_profiles+0x15a/0x1dd0<br /> [ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780<br /> [ 57.181712] ? aa_loaddata_alloc+0x77/0x140<br /> [ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 57.181717] ? _copy_from_user+0x2a/0x70<br /> [ 57.181730] policy_update+0x17a/0x330<br /> [ 57.181733] profile_replace+0x153/0x1a0<br /> [ 57.181735] ? rw_verify_area+0x93/0x2d0<br /> [ 57.181740] vfs_write+0x235/0xab0<br /> [ 57.181745] ksys_write+0xb0/0x170<br /> [ 57.181748] do_syscall_64+0x8e/0x660<br /> [ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 57.181765] RIP: 0033:0x7f6192792eb2<br /> <br /> Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE<br /> entries unconditionally.