High

Out-of-bounds read in Linux kernel AppArmor unpack_pdb

IdentifiersCVE-2026-23269CWE-125· Out-of-bounds Read

CVE-2026-23269 is an AppArmor vulnerability in the Linux kernel's policy unpacking path. In unpack_pdb(), DFA start states are read from untrusted policy data and used as indexes into DFA state tables without validating that the start value is within the number of DFA states. During processing, aa_dfa_next() accesses dfa->tables[YYTD_ID_BASE][start]; if the supplied start state exceeds the valid bounds, this causes an out-of-bounds read. The issue was observed as a KASAN-reported slab-out-of-bounds read in aa_dfa_next(). The fix rejects AppArmor policies whose DFA start states are out of bounds during unpacking.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can trigger an out-of-bounds read in kernel memory from the AppArmor subsystem, leading to kernel instability or denial of service. Published CVSS metrics also indicate potential confidentiality impact from unintended kernel-memory disclosure. In containerized or otherwise delegated AppArmor policy-management scenarios discussed by the maintainer and Qualys, the bug may be reachable by a low-privileged local attacker able to load crafted AppArmor policy data.

Mitigation

If you can’t patch tonight, do this now.

Where immediate patching is not possible, reduce or eliminate the ability of untrusted users or containers to load or manage AppArmor policy. In the container-specific exposure described by the AppArmor maintainer, set the sysctl unprivileged_userns_apparmor_policy=false to prevent root inside a user namespace/container from loading AppArmor policy when a policy namespace is tied to that container. More generally, avoid delegating AppArmor policy namespace management to untrusted tenants and restrict access to local filesystem paths or interfaces used to supply policy blobs.

Remediation

Patch, then assume compromise.

Apply a Linux kernel update that includes the AppArmor fix for CVE-2026-23269, specifically the change that validates DFA start states during unpack_pdb() and rejects malformed policies. Vendor advisories indicate the fix has been shipped across multiple SUSE kernel package lines; administrators should install the relevant updated kernel packages for their distribution and reboot into the patched kernel.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

ApparmorApparmorapplication

CanonicalUbuntuoperating_system

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app

bugzilla suseNews

Jun 4, 2026

1261348 - Possible regression in 6.12.0-160000.27.1: IOMMU groups collapse on x86_64/AMD system

Referenced as one of many CVEs addressed by SUSE kernel security updates; no vulnerability details are provided in the content.

bugzilla suseNews

Jun 1, 2026

1263135 - Add missing USB IDs for rtl8822bu driver

Listed as one of 206 vulnerabilities addressed by a SUSE kernel security update; no per-CVE technical detail is provided in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-23269

NVD

nvd.nist.gov/vuln/detail/CVE-2026-23269

MITRE CWE · CWE-125

Out-of-bounds Read

Patch

git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03da

Patch

git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58

Patch

git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c

Patch

git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184

Patch

git.kernel.org/stable/c/5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a

Patch

git.kernel.org/stable/c/5487871b2b56c19d26936ed6fdc62652b30941df

Patch

git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816

Patch

git.kernel.org/stable/c/f43eea8ae0102ea198da211ef7f5ce83725ecf19

Third Party Advisory

qualys.com/2026/03/10/crack-armor.txt