HOMEVULNERABILITIESCVE-2026-46055
HIGH

CVE-2026-46055

Published: May 27, 2026· Updated: May 30, 2026

7.1
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.3th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

apparmor: Fix string overrun due to missing termination

When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm

Snapdragon X1 we see a string buffer overrun:

BUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535)

Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120

CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY

Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025

Call trace:

show_stack (arch/arm64/kernel/stacktrace.c:501) (C)

dump_stack_lvl (lib/dump_stack.c:122)

print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)

kasan_report (mm/kasan/report.c:597)

__asan_report_load1_noabort (mm/kasan/report_generic.c:378)

aa_dfa_match (security/apparmor/match.c:535)

match_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336)

match_mnt (security/apparmor/mount.c:371)

aa_bind_mount (security/apparmor/mount.c:447 (discriminator 4))

apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))

security_sb_mount (security/security.c:1062 (discriminator 31))

path_mount (fs/namespace.c:4101)

__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)

invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)

el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))

do_el0_svc (arch/arm64/kernel/syscall.c:152)

el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)

el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)

el0t_64_sync (arch/arm64/kernel/entry.S:596)

Allocated by task 2120:

kasan_save_stack (mm/kasan/common.c:58)

kasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79)

kasan_save_alloc_info (mm/kasan/generic.c:571)

__kasan_kmalloc (mm/kasan/common.c:419)

__kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272)

aa_get_buffer (security/apparmor/lsm.c:2201)

aa_bind_mount (security/apparmor/mount.c:442)

apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))

security_sb_mount (security/security.c:1062 (discriminator 31))

path_mount (fs/namespace.c:4101)

__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)

invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)

el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))

do_el0_svc (arch/arm64/kernel/syscall.c:152)

el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)

el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)

el0t_64_sync (arch/arm64/kernel/entry.S:596)

The buggy address belongs to the object at ffff0008901ca000

which belongs to the cache kmalloc-rnd-06-8k of size 8192

The buggy address is located 0 bytes to the right of

allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0

flags: 0x8000000000000040(head|zone=2)

page_type: f5(slab)

raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70

raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000

head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70

head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000

head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff

head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffff0008

---truncated---

NVD Source

Technical Analysis

CVE-2026-46055 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), availability disruption (denial of service), with a CVSS base score of 7.1.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Affected Vendors & Products

Mentioned vendors (from description):
LinuxUbuntuQualcommLenovo
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-46055
CVSS Score7.1 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46055 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.