CVE-2026-23410

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> apparmor: fix race on rawdata dereference<br /> <br /> There is a race condition that leads to a use-after-free situation:<br /> because the rawdata inodes are not refcounted, an attacker can start<br /> open()ing one of the rawdata files, and at the same time remove the<br /> last reference to this rawdata (by removing the corresponding profile,<br /> for example), which frees its struct aa_loaddata; as a result, when<br /> seq_rawdata_open() is reached, i_private is a dangling pointer and<br /> freed memory is accessed.<br /> <br /> The rawdata inodes weren&amp;#39;t refcounted to avoid a circular refcount and<br /> were supposed to be held by the profile rawdata reference. However<br /> during profile removal there is a window where the vfs and profile<br /> destruction race, resulting in the use after free.<br /> <br /> Fix this by moving to a double refcount scheme. Where the profile<br /> refcount on rawdata is used to break the circular dependency. Allowing<br /> for freeing of the rawdata once all inode references to the rawdata<br /> are put.