HOMEVULNERABILITIESCVE-2026-23407
HIGH

CVE-2026-23407

Published: April 1, 2026· Updated: Apr 2, 2026

7.8
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:1.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix missing bounds check on DEFAULT table in verify_dfa()

The verify_dfa() function only checks DEFAULT_TABLE bounds when the state

is not differentially encoded.

When the verification loop traverses the differential encoding chain,

it reads k = DEFAULT_TABLE[j] and uses k as an array index without

validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count,

therefore, causes both out-of-bounds reads and writes.

[ 57.179855] ==================================================================

[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660

[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993

[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)

[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014

[ 57.181563] Call Trace:

[ 57.181572] <TASK>

[ 57.181577] dump_stack_lvl+0x5e/0x80

[ 57.181596] print_report+0xc8/0x270

[ 57.181605] ? verify_dfa+0x59a/0x660

[ 57.181608] kasan_report+0x118/0x150

[ 57.181620] ? verify_dfa+0x59a/0x660

[ 57.181623] verify_dfa+0x59a/0x660

[ 57.181627] aa_dfa_unpack+0x1610/0x1740

[ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470

[ 57.181640] unpack_pdb+0x86d/0x46b0

[ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5

[ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5

[ 57.181656] ? aa_unpack_nameX+0x1a8/0x300

[ 57.181659] aa_unpack+0x20b0/0x4c30

[ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5

[ 57.181664] ? stack_depot_save_flags+0x33/0x700

[ 57.181681] ? kasan_save_track+0x4f/0x80

[ 57.181683] ? kasan_save_track+0x3e/0x80

[ 57.181686] ? __kasan_kmalloc+0x93/0xb0

[ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780

[ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130

[ 57.181697] ? policy_update+0x154/0x330

[ 57.181704] aa_replace_profiles+0x15a/0x1dd0

[ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5

[ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780

[ 57.181712] ? aa_loaddata_alloc+0x77/0x140

[ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5

[ 57.181717] ? _copy_from_user+0x2a/0x70

[ 57.181730] policy_update+0x17a/0x330

[ 57.181733] profile_replace+0x153/0x1a0

[ 57.181735] ? rw_verify_area+0x93/0x2d0

[ 57.181740] vfs_write+0x235/0xab0

[ 57.181745] ksys_write+0xb0/0x170

[ 57.181748] do_syscall_64+0x8e/0x660

[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e

[ 57.181765] RIP: 0033:0x7f6192792eb2

Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE

entries unconditionally.

NVD Source

Technical Analysis

CVE-2026-23407 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
LinuxDebian
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-23407
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.01%
PublishedApr 1, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23407 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.