Skip to main content

Linux Kernel CVE-2026-45965

| EUVDEUVD-2026-32249 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8pgm-3pm8-2qcc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects the requirement for two prior administrative actions (disabling export_binary at runtime then replacing a profile) beyond the attacker's control; no C or I impact applies.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 04:59 vuln.today
CVSS changed
Jun 16, 2026 - 02:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix invalid deref of rawdata when export_binary is unset

If the export_binary parameter is disabled on runtime, profiles that were loaded before that will still have their rawdata stored in apparmorfs, with a symbolic link to the rawdata on the policy directory. When one of those profiles are replaced, the rawdata is set to NULL, but when trying to resolve the symbolic links to rawdata for that profile, it will try to dereference profile->rawdata->name when profile->rawdata is now NULL causing an oops. Fix it by checking if rawdata is set.

[ 168.653080] BUG: kernel NULL pointer dereference, address: 0000000000000088 [ 168.657420] #PF: supervisor read access in kernel mode [ 168.660619] #PF: error_code(0x0000) - not-present page [ 168.663613] PGD 0 P4D 0 [ 168.665450] Oops: Oops: 0000 [#1] SMP NOPTI [ 168.667836] CPU: 1 UID: 0 PID: 1729 Comm: ls Not tainted 6.19.0-rc7+ #3 PREEMPT(voluntary) [ 168.672308] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 168.679327] RIP: 0010:rawdata_get_link_base.isra.0+0x23/0x330 [ 168.682768] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 18 48 89 55 d0 48 85 ff 0f 84 e3 01 00 00 <48> 83 3c 25 88 00 00 00 00 0f 84 d4 01 00 00 49 89 f6 49 89 cc e8 [ 168.689818] RSP: 0018:ffffcdcb8200fb80 EFLAGS: 00010282 [ 168.690871] RAX: ffffffffaee74ec0 RBX: 0000000000000000 RCX: ffffffffb0120158 [ 168.692251] RDX: ffffcdcb8200fbe0 RSI: ffff88c187c9fa80 RDI: ffff88c186c98a80 [ 168.693593] RBP: ffffcdcb8200fbc0 R08: 0000000000000000 R09: 0000000000000000 [ 168.694941] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88c186c98a80 [ 168.696289] R13: 00007fff005aaa20 R14: 0000000000000080 R15: ffff88c188f4fce0 [ 168.697637] FS: 0000790e81c58280(0000) GS:ffff88c20a957000(0000) knlGS:0000000000000000 [ 168.699227] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 168.700349] CR2: 0000000000000088 CR3: 000000012fd3e000 CR4: 0000000000350ef0 [ 168.701696] Call Trace: [ 168.702325] <TASK> [ 168.702995] rawdata_get_link_data+0x1c/0x30 [ 168.704145] vfs_readlink+0xd4/0x160 [ 168.705152] do_readlinkat+0x114/0x180 [ 168.706214] __x64_sys_readlink+0x1e/0x30 [ 168.708653] x64_sys_call+0x1d77/0x26b0 [ 168.709525] do_syscall_64+0x81/0x500 [ 168.710348] ? do_statx+0x72/0xb0 [ 168.711109] ? putname+0x3e/0x80 [ 168.711845] ? __x64_sys_statx+0xb7/0x100 [ 168.712711] ? x64_sys_call+0x10fc/0x26b0 [ 168.713577] ? do_syscall_64+0xbf/0x500 [ 168.714412] ? do_user_addr_fault+0x1d2/0x8d0 [ 168.715404] ? irqentry_exit+0xb2/0x740 [ 168.716359] ? exc_page_fault+0x90/0x1b0 [ 168.717307] entry_SYSCALL_64_after_hwframe+0x76/0x7e

AnalysisAI

Kernel NULL pointer dereference in the Linux AppArmor security module allows a local low-privileged user to crash the system by reading an apparmorfs symbolic link under a specific runtime configuration sequence. The flaw exists in rawdata_get_link_base, where profile->rawdata->name is dereferenced without first verifying that rawdata is non-NULL after a profile replacement clears it. No public exploit exists and EPSS stands at 0.02%, though the crash is fully reproducible from the conditions documented in the commit description.

Technical ContextAI

AppArmor is a Linux Security Module (LSM) providing mandatory access control via security profiles managed through the AppArmor filesystem (apparmorfs) at /sys/kernel/security/apparmor/. The vulnerability resides in rawdata_get_link_base (security/apparmor/apparmorfs.c), which resolves symbolic links pointing to the raw binary policy data stored per-profile. When the export_binary kernel parameter is disabled at runtime, profiles that were already loaded retain their rawdata in apparmorfs including a symlink from the policy directory. Upon a subsequent profile replacement, profile->rawdata is zeroed, but the link resolver does not guard against this NULL before accessing profile->rawdata->name. The crash occurs at offset 0x88 from the NULL address, consistent with the name field offset within the rawdata structure. CWE-476 (NULL Pointer Dereference) is the confirmed root cause; the fix is a single NULL check added prior to dereference. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, covering kernels from the introducing commit (1180b4c757aab5506f1be367000364dd5cf5cd02, first appearing in Linux 4.17) through multiple stable series.

RemediationAI

Update the Linux kernel to a patched stable release for your branch: 5.10.252 or later, 5.15.202 or later, 6.1.165 or later, 6.6.128 or later, 6.12.75 or later, 6.18.14 or later, or 6.19.4 or later. Upstream patch commits are available at git.kernel.org for all affected stable series (b25298e89a297c42eb4c4d6f081d60375b820abb, 1432ab0774cba43e8111be39989ff226531a9bac, 19f2e4055626a58842ddec3282ad4465a80c6625, 6d8c180c825cbc73eeffaa79591f8e142dacae70, e6b2fc7e34d4e7ca6b8598c33a3d45d59e455d8d, 3c36b87fc2a4cf88eadea8cf13923bd2b4f9a3fa, df9ac55abd18628bd8cff687ea043660532a3654, 1d2b2b58fde9059a488bc25399e6c3d74e9b5548). If immediate patching is not possible, as a compensating control avoid disabling export_binary at runtime on production systems where AppArmor profiles are actively replaced; keeping export_binary enabled eliminates the NULL-setting path during profile replacement. Alternatively, restrict local user read access to /sys/kernel/security/apparmor/policy/ via filesystem namespace controls or seccomp policy filtering readlink syscalls against apparmorfs paths - note this may break legitimate AppArmor management tools such as aa-status and libapparmor.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy