GHSA-G4Q8-M3PW-QHVV
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix NULL pointer dereference in __unix_needs_revalidation
When receiving file descriptors via SCM_RIGHTS, both the socket pointer and the socket's sk pointer can be NULL during socket setup or teardown, causing NULL pointer dereferences in __unix_needs_revalidation().
This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new __unix_needs_revalidation() function was added without proper NULL checks.
The crash manifests as: BUG: kernel NULL pointer dereference, address: 0x0000000000000018 RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0) Call Trace: apparmor_file_receive+0x42/0x80 security_file_receive+0x2e/0x50 receive_fd+0x1d/0xf0 scm_detach_fds+0xad/0x1c0
The function dereferences sock->sk->sk_family without checking if either sock or sock->sk is NULL first.
Add NULL checks for both sock and sock->sk before accessing sk_family.
{
"affected": [],
"aliases": [
"CVE-2026-45966"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:13Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix NULL pointer dereference in __unix_needs_revalidation\n\nWhen receiving file descriptors via SCM_RIGHTS, both the socket pointer\nand the socket\u0027s sk pointer can be NULL during socket setup or teardown,\ncausing NULL pointer dereferences in __unix_needs_revalidation().\n\nThis is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new\n__unix_needs_revalidation() function was added without proper NULL checks.\n\nThe crash manifests as:\n BUG: kernel NULL pointer dereference, address: 0x0000000000000018\n RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0)\n Call Trace:\n apparmor_file_receive+0x42/0x80\n security_file_receive+0x2e/0x50\n receive_fd+0x1d/0xf0\n scm_detach_fds+0xad/0x1c0\n\nThe function dereferences sock-\u003esk-\u003esk_family without checking if either\nsock or sock-\u003esk is NULL first.\n\nAdd NULL checks for both sock and sock-\u003esk before accessing sk_family.",
"id": "GHSA-g4q8-m3pw-qhvv",
"modified": "2026-05-27T15:33:18Z",
"published": "2026-05-27T15:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45966"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e2938ad00b21340c0362562dfedd7cfec0554d67"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e85bc9101afc4202aa2269967ce9d3ffbecd0994"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fea017a7f6abe179decf575a2d8464c74edb3964"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.