PT-2026-29489 · Linux · Linux
Published
2026-04-01
·
Updated
2026-04-01
·
CVE-2026-23406
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix side-effect bug in match char() macro usage
The match char() macro evaluates its character parameter multiple
times when traversing differential encoding chains. When invoked
with *str++, the string pointer advances on each iteration of the
inner do-while loop, causing the DFA to check different characters
at each iteration and therefore skip input characters.
This results in out-of-bounds reads when the pointer advances past
the input buffer boundary.
[ 94.984676] ==================================================================
[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa dfa match+0x5ae/0x760
[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976
[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)
[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 94.986329] Call Trace:
[ 94.986341]
[ 94.986347] dump stack lvl+0x5e/0x80
[ 94.986374] print report+0xc8/0x270
[ 94.986384] ? aa dfa match+0x5ae/0x760
[ 94.986388] kasan report+0x118/0x150
[ 94.986401] ? aa dfa match+0x5ae/0x760
[ 94.986405] aa dfa match+0x5ae/0x760
[ 94.986408] aa path perm+0x131/0x400
[ 94.986418] aa path perm+0x219/0x2f0
[ 94.986424] apparmor file open+0x345/0x570
[ 94.986431] security file open+0x5c/0x140
[ 94.986442] do dentry open+0x2f6/0x1120
[ 94.986450] vfs open+0x38/0x2b0
[ 94.986453] ? may open+0x1e2/0x2b0
[ 94.986466] path openat+0x231b/0x2b30
[ 94.986469] ? x64 sys openat+0xf8/0x130
[ 94.986477] do file open+0x19d/0x360
[ 94.986487] do sys openat2+0x98/0x100
[ 94.986491] x64 sys openat+0xf8/0x130
[ 94.986499] do syscall 64+0x8e/0x660
[ 94.986515] ? count memcg events+0x15f/0x3c0
[ 94.986526] ? srso alias return thunk+0x5/0xfbef5
[ 94.986540] ? handle mm fault+0x1639/0x1ef0
[ 94.986551] ? vma start read+0xf0/0x320
[ 94.986558] ? srso alias return thunk+0x5/0xfbef5
[ 94.986561] ? srso alias return thunk+0x5/0xfbef5
[ 94.986563] ? fpregs assert state consistent+0x50/0xe0
[ 94.986572] ? srso alias return thunk+0x5/0xfbef5
[ 94.986574] ? arch exit to user mode prepare+0x9/0xb0
[ 94.986587] ? srso alias return thunk+0x5/0xfbef5
[ 94.986588] ? irqentry exit+0x3c/0x590
[ 94.986595] entry SYSCALL 64 after hwframe+0x76/0x7e
[ 94.986597] RIP: 0033:0x7fda4a79c3ea
Fix by extracting the character value before invoking match char,
ensuring single evaluation per outer loop.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux