CVE-2026-46055
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
16/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
apparmor: Fix string overrun due to missing termination<br />
<br />
When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm<br />
Snapdragon X1 we see a string buffer overrun:<br />
<br />
BUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535)<br />
Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120<br />
<br />
CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY<br />
Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025<br />
Call trace:<br />
show_stack (arch/arm64/kernel/stacktrace.c:501) (C)<br />
dump_stack_lvl (lib/dump_stack.c:122)<br />
print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)<br />
kasan_report (mm/kasan/report.c:597)<br />
__asan_report_load1_noabort (mm/kasan/report_generic.c:378)<br />
aa_dfa_match (security/apparmor/match.c:535)<br />
match_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336)<br />
match_mnt (security/apparmor/mount.c:371)<br />
aa_bind_mount (security/apparmor/mount.c:447 (discriminator 4))<br />
apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))<br />
security_sb_mount (security/security.c:1062 (discriminator 31))<br />
path_mount (fs/namespace.c:4101)<br />
__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)<br />
invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)<br />
el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))<br />
do_el0_svc (arch/arm64/kernel/syscall.c:152)<br />
el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)<br />
el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)<br />
el0t_64_sync (arch/arm64/kernel/entry.S:596)<br />
<br />
Allocated by task 2120:<br />
kasan_save_stack (mm/kasan/common.c:58)<br />
kasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79)<br />
kasan_save_alloc_info (mm/kasan/generic.c:571)<br />
__kasan_kmalloc (mm/kasan/common.c:419)<br />
__kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272)<br />
aa_get_buffer (security/apparmor/lsm.c:2201)<br />
aa_bind_mount (security/apparmor/mount.c:442)<br />
apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))<br />
security_sb_mount (security/security.c:1062 (discriminator 31))<br />
path_mount (fs/namespace.c:4101)<br />
__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)<br />
invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)<br />
el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))<br />
do_el0_svc (arch/arm64/kernel/syscall.c:152)<br />
el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)<br />
el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)<br />
el0t_64_sync (arch/arm64/kernel/entry.S:596)<br />
<br />
The buggy address belongs to the object at ffff0008901ca000<br />
which belongs to the cache kmalloc-rnd-06-8k of size 8192<br />
The buggy address is located 0 bytes to the right of<br />
allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000)<br />
<br />
The buggy address belongs to the physical page:<br />
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8<br />
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0<br />
flags: 0x8000000000000040(head|zone=2)<br />
page_type: f5(slab)<br />
raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70<br />
raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000<br />
head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70<br />
head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000<br />
head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff<br />
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008<br />
page dumped because: kasan: bad access detected<br />
<br />
Memory state around the buggy address:<br />
ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
ffff0008<br />
---truncated---
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 7.0 (including) | 7.0.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



