Medium

Linux kernel AppArmor recursive profile removal stack exhaustion

IdentifiersCVE-2026-23404CWE-674

CVE-2026-23404 is a local denial-of-service vulnerability in the Linux kernel AppArmor subsystem. The flaw is in the profile removal logic for nested AppArmor profiles: removing an ancestor profile causes recursive traversal and deletion of descendant profiles via __remove_profile() and __aa_profile_list_release(). If an attacker creates a deeply nested hierarchy of subprofiles and then removes the top-level profile, the recursive call chain can exhaust the kernel stack and crash the system. The upstream fix replaces the recursive removal logic with an iterative approach in __remove_profile() that repeatedly removes leaf profiles until the subtree is fully deleted, preserving semantics while avoiding unbounded recursion.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can exhaust kernel stack space and crash the system, resulting in a local denial of service. Available supporting content indicates high availability impact with no demonstrated confidentiality or integrity impact, and the issue is believed to be DoS-only rather than a local privilege escalation.

Mitigation

If you can’t patch tonight, do this now.

Until patched, reduce exposure by restricting who can load and remove AppArmor profiles or create deeply nested AppArmor subprofile hierarchies. Limit local low-privilege access to AppArmor management interfaces and avoid delegating profile-management capabilities to untrusted users or containers. These are partial mitigations only; the definitive fix is a patched kernel.

Remediation

Patch, then assume compromise.

Apply a kernel update that includes the AppArmor fix for CVE-2026-23404. The upstream remediation replaces recursive nested-profile deletion with an iterative removal algorithm in __remove_profile(). Vendor advisories indicate fixes have been shipped across multiple SUSE kernel package lines; affected systems should be updated to the vendor-provided fixed kernel and rebooted as required.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

bugzilla suseNews

Jun 4, 2026

1258854 - (CVE-2026-23404) VUL-0: CVE-2026-23404: kernel: apparmor: replace recursive profile removal with iterative approach

An uncontrolled recursion vulnerability in the Linux kernel's AppArmor profile removal logic that can exhaust the kernel stack and crash the system, resulting in denial of service.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-23404

NVD

nvd.nist.gov/vuln/detail/CVE-2026-23404

MITRE CWE · CWE-674

cwe.mitre.org

Patch

git.kernel.org/stable/c/33959a491e9fd557abfa5fce5ae4637d400915d3

Patch

git.kernel.org/stable/c/4fdc847b107321dec22bf8ecd6019b7af76d7886

Patch

git.kernel.org/stable/c/7eade846e013cbe8d2dc4a484463aa19e6515c7f

Patch

git.kernel.org/stable/c/999bd704b0b641527a5ed46f0d969deff8cfa68b

Patch

git.kernel.org/stable/c/a6a941a1294ac5abe22053dc501d25aed96e48fe

Patch

git.kernel.org/stable/c/ab09264660f9de5d05d1ef4e225aa447c63a8747

Patch

git.kernel.org/stable/c/b36a04284d0208be94e5e401409caa00e2bf1be1

Patch

git.kernel.org/stable/c/ea854f032190cc9f26dc4a0e727090c89e55e342