CVE-2026-23410
HIGH SEVERITYCVSS Score & Metrics
Base Score
7.8 / 10
Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix race on rawdata dereference
There is a race condition that leads to a use-after-free situation:
because the rawdata inodes are not refcounted, an attacker can start
open()ing one of the rawdata files, and at the same time remove the
last reference to this rawdata (by removing the corresponding profile,
for example), which frees its struct aa_loaddata; as a result, when
seq_rawdata_open() is reached, i_private is a dangling pointer and
freed memory is accessed.
The rawdata inodes weren't refcounted to avoid a circular refcount and
were supposed to be held by the profile rawdata reference. However
during profile removal there is a window where the vfs and profile
destruction race, resulting in the use after free.
Fix this by moving to a double refcount scheme. Where the profile
refcount on rawdata is used to break the circular dependency. Allowing
for freeing of the rawdata once all inode references to the rawdata
are put.
apparmor: fix race on rawdata dereference
There is a race condition that leads to a use-after-free situation:
because the rawdata inodes are not refcounted, an attacker can start
open()ing one of the rawdata files, and at the same time remove the
last reference to this rawdata (by removing the corresponding profile,
for example), which frees its struct aa_loaddata; as a result, when
seq_rawdata_open() is reached, i_private is a dangling pointer and
freed memory is accessed.
The rawdata inodes weren't refcounted to avoid a circular refcount and
were supposed to be held by the profile rawdata reference. However
during profile removal there is a window where the vfs and profile
destruction race, resulting in the use after free.
Fix this by moving to a double refcount scheme. Where the profile
refcount on rawdata is used to break the circular dependency. Allowing
for freeing of the rawdata once all inode references to the rawdata
are put.
Vulnerability Details
Published Date
Last Modified
Source
NVD
Vendor
Linux
Product
Linux
External References
- https://git.kernel.org/stable/c/6ef1f2926c41ab96952d9696d55a052f1b3a9418
- https://git.kernel.org/stable/c/763e838adc3c7ec5a7df2990ce84cad951e42721
- https://git.kernel.org/stable/c/a0b7091c4de45a7325c8780e6934a894f92ac86b
- https://git.kernel.org/stable/c/af782cc8871e3683ddd5a3cd2f7df526599863a9
- https://git.kernel.org/stable/c/f9761add6d100962a23996cb68f3d6abdd4d1815
Discussion (0)
Add Comment
No comments yet. Be the first!