GHSA-MX5H-MW9C-R2FH

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

apparmor: Fix string overrun due to missing termination

When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm Snapdragon X1 we see a string buffer overrun:

BUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535) Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120

CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025 Call trace: show_stack (arch/arm64/kernel/stacktrace.c:501) (C) dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) __asan_report_load1_noabort (mm/kasan/report_generic.c:378) aa_dfa_match (security/apparmor/match.c:535) match_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336) match_mnt (security/apparmor/mount.c:371) aa_bind_mount (security/apparmor/mount.c:447 (discriminator 4)) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596)

Allocated by task 2120: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_alloc_info (mm/kasan/generic.c:571) __kasan_kmalloc (mm/kasan/common.c:419) __kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272) aa_get_buffer (security/apparmor/lsm.c:2201) aa_bind_mount (security/apparmor/mount.c:442) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596)

The buggy address belongs to the object at ffff0008901ca000 which belongs to the cache kmalloc-rnd-06-8k of size 8192 The buggy address is located 0 bytes to the right of allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000)

The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0 flags: 0x8000000000000040(head|zone=2) page_type: f5(slab) raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008 ---truncated---

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-46055"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:25Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix string overrun due to missing termination\n\nWhen booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm\nSnapdragon X1 we see a string buffer overrun:\n\nBUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535)\nRead of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120\n\nCPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY\nHardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025\nCall trace:\nshow_stack (arch/arm64/kernel/stacktrace.c:501) (C)\ndump_stack_lvl (lib/dump_stack.c:122)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\nkasan_report (mm/kasan/report.c:597)\n__asan_report_load1_noabort (mm/kasan/report_generic.c:378)\naa_dfa_match (security/apparmor/match.c:535)\nmatch_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336)\nmatch_mnt (security/apparmor/mount.c:371)\naa_bind_mount (security/apparmor/mount.c:447 (discriminator 4))\napparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))\nsecurity_sb_mount (security/security.c:1062 (discriminator 31))\npath_mount (fs/namespace.c:4101)\n__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)\ninvoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)\nel0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))\ndo_el0_svc (arch/arm64/kernel/syscall.c:152)\nel0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)\nel0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)\nel0t_64_sync (arch/arm64/kernel/entry.S:596)\n\nAllocated by task 2120:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79)\nkasan_save_alloc_info (mm/kasan/generic.c:571)\n__kasan_kmalloc (mm/kasan/common.c:419)\n__kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272)\naa_get_buffer (security/apparmor/lsm.c:2201)\naa_bind_mount (security/apparmor/mount.c:442)\napparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))\nsecurity_sb_mount (security/security.c:1062 (discriminator 31))\npath_mount (fs/namespace.c:4101)\n__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)\ninvoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)\nel0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))\ndo_el0_svc (arch/arm64/kernel/syscall.c:152)\nel0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)\nel0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)\nel0t_64_sync (arch/arm64/kernel/entry.S:596)\n\nThe buggy address belongs to the object at ffff0008901ca000\nwhich belongs to the cache kmalloc-rnd-06-8k of size 8192\nThe buggy address is located 0 bytes to the right of\nallocated 8192-byte region [ffff0008901ca000, ffff0008901cc000)\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0\nflags: 0x8000000000000040(head|zone=2)\npage_type: f5(slab)\nraw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70\nraw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000\nhead: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70\nhead: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000\nhead: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\nffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nffff0008\n---truncated---",
  "id": "GHSA-mx5h-mw9c-r2fh",
  "modified": "2026-05-27T15:33:22Z",
  "published": "2026-05-27T15:33:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46055"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b877ef27adc8ec187b0418629169856e7264e01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/828bf7929bedcb79b560b5b4e44f22abee07d31b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.