CVE-2026-23407

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix missing bounds check on DEFAULT table in verify dfa()

The verify dfa() function only checks DEFAULT TABLE bounds when the state is not differentially encoded.

When the verification loop traverses the differential encoding chain, it reads k = DEFAULT TABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULT TABLE[j] >= state count, therefore, causes both out-of-bounds reads and writes.

[ 57.179855] ================================================================== [ 57.180549] BUG: KASAN: slab-out-of-bounds in verify dfa+0x59a/0x660 [ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993

[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 57.181563] Call Trace: [ 57.181572] [ 57.181577] dump stack lvl+0x5e/0x80 [ 57.181596] print report+0xc8/0x270 [ 57.181605] ? verify dfa+0x59a/0x660 [ 57.181608] kasan report+0x118/0x150 [ 57.181620] ? verify dfa+0x59a/0x660 [ 57.181623] verify dfa+0x59a/0x660 [ 57.181627] aa dfa unpack+0x1610/0x1740 [ 57.181629] ? kmalloc cache noprof+0x1d0/0x470 [ 57.181640] unpack pdb+0x86d/0x46b0 [ 57.181647] ? srso alias return thunk+0x5/0xfbef5 [ 57.181653] ? srso alias return thunk+0x5/0xfbef5 [ 57.181656] ? aa unpack nameX+0x1a8/0x300 [ 57.181659] aa unpack+0x20b0/0x4c30 [ 57.181662] ? srso alias return thunk+0x5/0xfbef5 [ 57.181664] ? stack depot save flags+0x33/0x700 [ 57.181681] ? kasan save track+0x4f/0x80 [ 57.181683] ? kasan save track+0x3e/0x80 [ 57.181686] ? kasan kmalloc+0x93/0xb0 [ 57.181688] ? kvmalloc node noprof+0x44a/0x780 [ 57.181693] ? aa simple write to buffer+0x54/0x130 [ 57.181697] ? policy update+0x154/0x330 [ 57.181704] aa replace profiles+0x15a/0x1dd0 [ 57.181707] ? srso alias return thunk+0x5/0xfbef5 [ 57.181710] ? kvmalloc node noprof+0x44a/0x780 [ 57.181712] ? aa loaddata alloc+0x77/0x140 [ 57.181715] ? srso alias return thunk+0x5/0xfbef5 [ 57.181717] ? copy from user+0x2a/0x70 [ 57.181730] policy update+0x17a/0x330 [ 57.181733] profile replace+0x153/0x1a0 [ 57.181735] ? rw verify area+0x93/0x2d0 [ 57.181740] vfs write+0x235/0xab0 [ 57.181745] ksys write+0xb0/0x170 [ 57.181748] do syscall 64+0x8e/0x660 [ 57.181762] entry SYSCALL 64 after hwframe+0x76/0x7e [ 57.181765] RIP: 0033:0x7f6192792eb2

Remove the MATCH FLAG DIFF ENCODE condition to validate all DEFAULT TABLE entries unconditionally.