HOMEVULNERABILITIESCVE-2026-23406
HIGH

CVE-2026-23406

Published: April 1, 2026· Updated: Apr 2, 2026

7.8
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:1.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix side-effect bug in match_char() macro usage

The match_char() macro evaluates its character parameter multiple

times when traversing differential encoding chains. When invoked

with *str++, the string pointer advances on each iteration of the

inner do-while loop, causing the DFA to check different characters

at each iteration and therefore skip input characters.

This results in out-of-bounds reads when the pointer advances past

the input buffer boundary.

[ 94.984676] ==================================================================

[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760

[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976

[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)

[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014

[ 94.986329] Call Trace:

[ 94.986341] <TASK>

[ 94.986347] dump_stack_lvl+0x5e/0x80

[ 94.986374] print_report+0xc8/0x270

[ 94.986384] ? aa_dfa_match+0x5ae/0x760

[ 94.986388] kasan_report+0x118/0x150

[ 94.986401] ? aa_dfa_match+0x5ae/0x760

[ 94.986405] aa_dfa_match+0x5ae/0x760

[ 94.986408] __aa_path_perm+0x131/0x400

[ 94.986418] aa_path_perm+0x219/0x2f0

[ 94.986424] apparmor_file_open+0x345/0x570

[ 94.986431] security_file_open+0x5c/0x140

[ 94.986442] do_dentry_open+0x2f6/0x1120

[ 94.986450] vfs_open+0x38/0x2b0

[ 94.986453] ? may_open+0x1e2/0x2b0

[ 94.986466] path_openat+0x231b/0x2b30

[ 94.986469] ? __x64_sys_openat+0xf8/0x130

[ 94.986477] do_file_open+0x19d/0x360

[ 94.986487] do_sys_openat2+0x98/0x100

[ 94.986491] __x64_sys_openat+0xf8/0x130

[ 94.986499] do_syscall_64+0x8e/0x660

[ 94.986515] ? count_memcg_events+0x15f/0x3c0

[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5

[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0

[ 94.986551] ? vma_start_read+0xf0/0x320

[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5

[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5

[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0

[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5

[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0

[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5

[ 94.986588] ? irqentry_exit+0x3c/0x590

[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e

[ 94.986597] RIP: 0033:0x7fda4a79c3ea

Fix by extracting the character value before invoking match_char,

ensuring single evaluation per outer loop.

NVD Source

Technical Analysis

CVE-2026-23406 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
LinuxDebian
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-23406
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.01%
PublishedApr 1, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23406 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.