Skip to main content

Linux Kernel CVE-2026-45884

| EUVDEUVD-2026-32350 MEDIUM
Integer Underflow (CWE-191)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8h74-qh3g-94fx
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges is required to invoke AppArmor-mediated operations; impact is purely availability via resource starvation with no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:30 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

apparmor: avoid per-cpu hold underflow in aa_get_buffer

When aa_get_buffer() pulls from the per-cpu list it unconditionally decrements cache->hold. If hold reaches 0 while count is still non-zero, the unsigned decrement wraps to UINT_MAX. This keeps hold non-zero for a very long time, so aa_put_buffer() never returns buffers to the global list, which can starve other CPUs and force repeated kmalloc(aa_g_path_max) allocations.

Guard the decrement so hold never underflows.

AnalysisAI

Integer underflow in the Linux kernel's AppArmor subsystem (aa_get_buffer()) allows a local low-privileged user to cause per-CPU buffer starvation and system-wide denial of service. The cache->hold unsigned counter wraps to UINT_MAX when decremented below zero, permanently preventing aa_put_buffer() from recycling buffers back to the global pool and forcing repeated kmalloc(aa_g_path_max) heap allocations that starve other CPUs. No public exploit exists and EPSS is 0.02% (5th percentile); this is not in CISA KEV, but patches are available across multiple stable kernel branches.

Technical ContextAI

The vulnerability is a CWE-191 (Integer Underflow / Wrap-or-Wraparound) in the AppArmor Linux Security Module, which uses per-CPU buffer caches for MAC policy path resolution. In aa_get_buffer(), the cache->hold field is declared as an unsigned integer. When the function pulls a buffer from the per-CPU list, it decrements hold unconditionally. If hold is already 0 at the time of decrement, C unsigned integer semantics cause it to wrap to UINT_MAX (2^32−1), making the counter appear perpetually non-zero. This blocks the recycling branch in aa_put_buffer() from returning exhausted buffers to the global allocator, creating a resource leak that manifests as cross-CPU buffer starvation and repeated kernel heap allocations. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (versions from commit ea9bae12d02819556db63348db8bd8441eb316f2 through the fixed stable releases). The 'Information Disclosure' tag in source metadata appears inconsistent with CVSS C:N and the description, which describes purely a resource management bug with no confidentiality pathway.

RemediationAI

Upgrade the Linux kernel to a patched stable release: 6.12.75, 6.18.14, 6.19.4, or any 7.0+ mainline build. The upstream fixes are available at git.kernel.org/stable (see commits 202824a1, 80c334ac, 4bcddd0f, 640cf2f0). Distribution vendors (Canonical, Red Hat, SUSE, Debian) will ship these fixes in their respective kernel update streams; consult your distribution's security advisory channel. If immediate patching is operationally infeasible, passing apparmor=0 on the kernel command line disables the vulnerable code path entirely, but this removes all AppArmor MAC enforcement - a meaningful security regression that is only acceptable if an alternative MAC mechanism (e.g., SELinux) is in use. Restricting local shell access to untrusted users on AppArmor-enabled systems is a softer compensating control that raises the bar without removing MAC protection. Advisory reference: https://nvd.nist.gov/vuln/detail/CVE-2026-45884.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy