{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23410", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.013Z", "datePublished": "2026-04-01T08:36:39.202Z", "dateUpdated": "2026-04-01T08:36:39.202Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-01T08:36:39.202Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race on rawdata dereference\n\nThere is a race condition that leads to a use-after-free situation:\nbecause the rawdata inodes are not refcounted, an attacker can start\nopen()ing one of the rawdata files, and at the same time remove the\nlast reference to this rawdata (by removing the corresponding profile,\nfor example), which frees its struct aa_loaddata; as a result, when\nseq_rawdata_open() is reached, i_private is a dangling pointer and\nfreed memory is accessed.\n\nThe rawdata inodes weren't refcounted to avoid a circular refcount and\nwere supposed to be held by the profile rawdata reference. However\nduring profile removal there is a window where the vfs and profile\ndestruction race, resulting in the use after free.\n\nFix this by moving to a double refcount scheme. Where the profile\nrefcount on rawdata is used to break the circular dependency. Allowing\nfor freeing of the rawdata once all inode references to the rawdata\nare put."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/apparmorfs.c", "security/apparmor/include/policy_unpack.h", "security/apparmor/policy.c", "security/apparmor/policy_unpack.c"], "versions": [{"version": "5d5182cae40115c03933989473288e54afb39c7c", "lessThan": "6ef1f2926c41ab96952d9696d55a052f1b3a9418", "status": "affected", "versionType": "git"}, {"version": "5d5182cae40115c03933989473288e54afb39c7c", "lessThan": "f9761add6d100962a23996cb68f3d6abdd4d1815", "status": "affected", "versionType": "git"}, {"version": "5d5182cae40115c03933989473288e54afb39c7c", "lessThan": "af782cc8871e3683ddd5a3cd2f7df526599863a9", "status": "affected", "versionType": "git"}, {"version": "5d5182cae40115c03933989473288e54afb39c7c", "lessThan": "763e838adc3c7ec5a7df2990ce84cad951e42721", "status": "affected", "versionType": "git"}, {"version": "5d5182cae40115c03933989473288e54afb39c7c", "lessThan": "a0b7091c4de45a7325c8780e6934a894f92ac86b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/apparmor/apparmorfs.c", "security/apparmor/include/policy_unpack.h", "security/apparmor/policy.c", "security/apparmor/policy_unpack.c"], "versions": [{"version": "4.13", "status": "affected"}, {"version": "0", "lessThan": "4.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.18", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.8", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.19.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "7.0-rc4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6ef1f2926c41ab96952d9696d55a052f1b3a9418"}, {"url": "https://git.kernel.org/stable/c/f9761add6d100962a23996cb68f3d6abdd4d1815"}, {"url": "https://git.kernel.org/stable/c/af782cc8871e3683ddd5a3cd2f7df526599863a9"}, {"url": "https://git.kernel.org/stable/c/763e838adc3c7ec5a7df2990ce84cad951e42721"}, {"url": "https://git.kernel.org/stable/c/a0b7091c4de45a7325c8780e6934a894f92ac86b"}], "title": "apparmor: fix race on rawdata dereference", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race on rawdata dereference\n\nThere is a race condition that leads to a use-after-free situation:\nbecause the rawdata inodes are not refcounted, an attacker can start\nopen()ing one of the rawdata files, and at the same time remove the\nlast reference to this rawdata (by removing the corresponding profile,\nfor example), which frees its struct aa_loaddata; as a result, when\nseq_rawdata_open() is reached, i_private is a dangling pointer and\nfreed memory is accessed.\n\nThe rawdata inodes weren't refcounted to avoid a circular refcount and\nwere supposed to be held by the profile rawdata reference. However\nduring profile removal there is a window where the vfs and profile\ndestruction race, resulting in the use after free.\n\nFix this by moving to a double refcount scheme. Where the profile\nrefcount on rawdata is used to break the circular dependency. Allowing\nfor freeing of the rawdata once all inode references to the rawdata\nare put."}], "id": "CVE-2026-23410", "lastModified": "2026-04-01T09:16:17.093", "metrics": {}, "published": "2026-04-01T09:16:17.093", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6ef1f2926c41ab96952d9696d55a052f1b3a9418"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/763e838adc3c7ec5a7df2990ce84cad951e42721"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a0b7091c4de45a7325c8780e6934a894f92ac86b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/af782cc8871e3683ddd5a3cd2f7df526599863a9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f9761add6d100962a23996cb68f3d6abdd4d1815"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}