Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Use-after-free in Linux kernel AppArmor rawdata handling

IdentifiersCVE-2026-23410CWE-416

CVE-2026-23410 is a Linux kernel AppArmor vulnerability caused by a race condition in raw profile data handling that can lead to a use-after-free. AppArmor exposes members of struct aa_loaddata through securityfs raw_data entries. Because the associated rawdata inodes were not refcounted, an attacker could race open() on one of these rawdata files against removal of the last reference to the same rawdata object, for example by removing the corresponding AppArmor profile. In the vulnerable path, seq_rawdata_open() dereferences inode->i_private after the underlying struct aa_loaddata may already have been freed, leaving i_private as a dangling pointer and causing access to freed memory. The upstream fix changed AppArmor rawdata lifetime management to a double-refcount scheme so the profile reference breaks the circular dependency while rawdata is only freed after all inode references are released.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can give a local attacker high-impact compromise of confidentiality, integrity, and availability. The supplied content states the bug is exploitable for local privilege escalation: by winning the race and reclaiming the freed aa_loaddata object with attacker-controlled or strategically useful allocations, an attacker can turn the use-after-free into arbitrary kernel memory manipulation. Reported exploitation techniques included cross-cache page-table reallocation to make the page cache for /etc/passwd writable and obtain a root shell. At minimum, the flaw can cause kernel memory corruption and system instability; in practice, the provided reporting indicates reliable elevation to root on tested systems.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting local untrusted access to affected systems, since exploitation is local and requires the ability to interact with AppArmor policy/raw_data interfaces and trigger profile lifecycle events. Limit who can load, unload, or manipulate AppArmor profiles, and minimize opportunities for low-privileged users to execute code on affected hosts. No specific vendor workaround beyond applying the kernel fix is provided in the supplied content.

Remediation

Patch, then assume compromise.

Apply a kernel update containing the upstream AppArmor fix for CVE-2026-23410. The fix moves rawdata lifetime handling to a double-refcount model so aa_loaddata objects are not freed until both profile and inode references are released. The supplied content indicates SUSE has shipped fixes across multiple product lines, with fixed kernel package versions including at least: kernel-default >= 5.14.21-150400.24.219.1 for several SLES 15 SP4-related products, >= 5.14.21-150500.55.166.1 for several SLES 15 SP5-related products, >= 6.4.0-150600.23.112.1 for several SLES 15 SP6-related products, >= 6.4.0-150700.53.55.1 for SLES 15 SP7-related products, >= 6.4.0-46.1 for SUSE Linux Micro 6.0/6.1, and >= 6.12.0-160000.33.1 for SLES 16.0, SUSE Linux Micro 6.2, and openSUSE Leap 16.0. Install the vendor-provided kernel update appropriate to the affected distribution and reboot into the patched kernel.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-23410
NVD
nvd.nist.gov/vuln/detail/CVE-2026-23410
MITRE CWE · CWE-416
cwe.mitre.org
Patch
git.kernel.org/stable/c/3b8e77c7abab40e6de9ad9de730d77984a498840
Patch
git.kernel.org/stable/c/6b6ba87579c7e7c669e0bec91823e7fb693bc5df
Patch
git.kernel.org/stable/c/6ef1f2926c41ab96952d9696d55a052f1b3a9418
Patch
git.kernel.org/stable/c/763e838adc3c7ec5a7df2990ce84cad951e42721
Patch
git.kernel.org/stable/c/a0b7091c4de45a7325c8780e6934a894f92ac86b
Patch
git.kernel.org/stable/c/af782cc8871e3683ddd5a3cd2f7df526599863a9
Patch
git.kernel.org/stable/c/d9d8560b9b7932f8cffc4c068c14289220900f79
Patch
git.kernel.org/stable/c/f9761add6d100962a23996cb68f3d6abdd4d1815