CVE-2026-46055 (GCVE-0-2026-46055)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:57 – Updated: 2026-05-27 12:57
VLAI
Title
apparmor: Fix string overrun due to missing termination
Summary
In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix string overrun due to missing termination When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm Snapdragon X1 we see a string buffer overrun: BUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535) Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120 CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025 Call trace: show_stack (arch/arm64/kernel/stacktrace.c:501) (C) dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) __asan_report_load1_noabort (mm/kasan/report_generic.c:378) aa_dfa_match (security/apparmor/match.c:535) match_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336) match_mnt (security/apparmor/mount.c:371) aa_bind_mount (security/apparmor/mount.c:447 (discriminator 4)) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) Allocated by task 2120: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_alloc_info (mm/kasan/generic.c:571) __kasan_kmalloc (mm/kasan/common.c:419) __kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272) aa_get_buffer (security/apparmor/lsm.c:2201) aa_bind_mount (security/apparmor/mount.c:442) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) The buggy address belongs to the object at ffff0008901ca000 which belongs to the cache kmalloc-rnd-06-8k of size 8192 The buggy address is located 0 bytes to the right of allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0 flags: 0x8000000000000040(head|zone=2) page_type: f5(slab) raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008 ---truncated---
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 93d4dbdc8da0b8a3ba86f4a08868084f8da872e1 , < 4b877ef27adc8ec187b0418629169856e7264e01 (git)
Affected: 93d4dbdc8da0b8a3ba86f4a08868084f8da872e1 , < 828bf7929bedcb79b560b5b4e44f22abee07d31b (git)
Create a notification for this product.
Linux Linux Affected: 7.0
Unaffected: 0 , < 7.0 (semver)
Unaffected: 7.0.4 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/apparmor/path.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4b877ef27adc8ec187b0418629169856e7264e01",
              "status": "affected",
              "version": "93d4dbdc8da0b8a3ba86f4a08868084f8da872e1",
              "versionType": "git"
            },
            {
              "lessThan": "828bf7929bedcb79b560b5b4e44f22abee07d31b",
              "status": "affected",
              "version": "93d4dbdc8da0b8a3ba86f4a08868084f8da872e1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/apparmor/path.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "7.0"
            },
            {
              "lessThan": "7.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix string overrun due to missing termination\n\nWhen booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm\nSnapdragon X1 we see a string buffer overrun:\n\nBUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535)\nRead of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120\n\nCPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY\nHardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025\nCall trace:\nshow_stack (arch/arm64/kernel/stacktrace.c:501) (C)\ndump_stack_lvl (lib/dump_stack.c:122)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\nkasan_report (mm/kasan/report.c:597)\n__asan_report_load1_noabort (mm/kasan/report_generic.c:378)\naa_dfa_match (security/apparmor/match.c:535)\nmatch_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336)\nmatch_mnt (security/apparmor/mount.c:371)\naa_bind_mount (security/apparmor/mount.c:447 (discriminator 4))\napparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))\nsecurity_sb_mount (security/security.c:1062 (discriminator 31))\npath_mount (fs/namespace.c:4101)\n__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)\ninvoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)\nel0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))\ndo_el0_svc (arch/arm64/kernel/syscall.c:152)\nel0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)\nel0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)\nel0t_64_sync (arch/arm64/kernel/entry.S:596)\n\nAllocated by task 2120:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79)\nkasan_save_alloc_info (mm/kasan/generic.c:571)\n__kasan_kmalloc (mm/kasan/common.c:419)\n__kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272)\naa_get_buffer (security/apparmor/lsm.c:2201)\naa_bind_mount (security/apparmor/mount.c:442)\napparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))\nsecurity_sb_mount (security/security.c:1062 (discriminator 31))\npath_mount (fs/namespace.c:4101)\n__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)\ninvoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)\nel0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))\ndo_el0_svc (arch/arm64/kernel/syscall.c:152)\nel0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)\nel0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)\nel0t_64_sync (arch/arm64/kernel/entry.S:596)\n\nThe buggy address belongs to the object at ffff0008901ca000\nwhich belongs to the cache kmalloc-rnd-06-8k of size 8192\nThe buggy address is located 0 bytes to the right of\nallocated 8192-byte region [ffff0008901ca000, ffff0008901cc000)\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0\nflags: 0x8000000000000040(head|zone=2)\npage_type: f5(slab)\nraw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70\nraw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000\nhead: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70\nhead: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000\nhead: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\nffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nffff0008\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:57:13.671Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4b877ef27adc8ec187b0418629169856e7264e01"
        },
        {
          "url": "https://git.kernel.org/stable/c/828bf7929bedcb79b560b5b4e44f22abee07d31b"
        }
      ],
      "title": "apparmor: Fix string overrun due to missing termination",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46055",
    "datePublished": "2026-05-27T12:57:13.671Z",
    "dateReserved": "2026-05-13T15:03:33.094Z",
    "dateUpdated": "2026-05-27T12:57:13.671Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46055",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.05337"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46055\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:25.190\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\napparmor: Fix string overrun due to missing termination\\n\\nWhen booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm\\nSnapdragon X1 we see a string buffer overrun:\\n\\nBUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535)\\nRead of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120\\n\\nCPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY\\nHardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025\\nCall trace:\\nshow_stack (arch/arm64/kernel/stacktrace.c:501) (C)\\ndump_stack_lvl (lib/dump_stack.c:122)\\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\\nkasan_report (mm/kasan/report.c:597)\\n__asan_report_load1_noabort (mm/kasan/report_generic.c:378)\\naa_dfa_match (security/apparmor/match.c:535)\\nmatch_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336)\\nmatch_mnt (security/apparmor/mount.c:371)\\naa_bind_mount (security/apparmor/mount.c:447 (discriminator 4))\\napparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))\\nsecurity_sb_mount (security/security.c:1062 (discriminator 31))\\npath_mount (fs/namespace.c:4101)\\n__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)\\ninvoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)\\nel0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))\\ndo_el0_svc (arch/arm64/kernel/syscall.c:152)\\nel0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)\\nel0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)\\nel0t_64_sync (arch/arm64/kernel/entry.S:596)\\n\\nAllocated by task 2120:\\nkasan_save_stack (mm/kasan/common.c:58)\\nkasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79)\\nkasan_save_alloc_info (mm/kasan/generic.c:571)\\n__kasan_kmalloc (mm/kasan/common.c:419)\\n__kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272)\\naa_get_buffer (security/apparmor/lsm.c:2201)\\naa_bind_mount (security/apparmor/mount.c:442)\\napparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))\\nsecurity_sb_mount (security/security.c:1062 (discriminator 31))\\npath_mount (fs/namespace.c:4101)\\n__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)\\ninvoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)\\nel0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))\\ndo_el0_svc (arch/arm64/kernel/syscall.c:152)\\nel0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)\\nel0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)\\nel0t_64_sync (arch/arm64/kernel/entry.S:596)\\n\\nThe buggy address belongs to the object at ffff0008901ca000\\nwhich belongs to the cache kmalloc-rnd-06-8k of size 8192\\nThe buggy address is located 0 bytes to the right of\\nallocated 8192-byte region [ffff0008901ca000, ffff0008901cc000)\\n\\nThe buggy address belongs to the physical page:\\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8\\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0\\nflags: 0x8000000000000040(head|zone=2)\\npage_type: f5(slab)\\nraw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70\\nraw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000\\nhead: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70\\nhead: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000\\nhead: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff\\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\\npage dumped because: kasan: bad access detected\\n\\nMemory state around the buggy address:\\nffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\nffff0008\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4b877ef27adc8ec187b0418629169856e7264e01\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/828bf7929bedcb79b560b5b4e44f22abee07d31b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.