Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.
AnalysisAI
Memory exhaustion via AppArmor notification handling affects Ubuntu Linux kernel versions carrying Ubuntu-specific SAUCE patches (6.8, 6.17, 7.0). An unprivileged local user can trigger a memory leak by eliciting large responses to AppArmor userspace notifications, repeatedly consuming kernel memory without release. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified, but the low-privilege local trigger lowers the bar for insider or co-tenant abuse in multi-user and container environments.
Technical ContextAI
The vulnerability resides in Ubuntu's SAUCE patch layer - Ubuntu-specific kernel modifications not present in mainline Linux - specifically in the AppArmor Linux Security Module's notification subsystem. AppArmor userspace notifications allow applications to receive and respond to security policy events; when those responses are large ('big responses'), the kernel code path fails to release allocated memory, constituting a classic CWE-401 (Missing Release of Memory after Effective Lifetime) defect. The affected CPE is cpe:2.3:a:canonical:ubuntu_linux covering kernel versions 6.8, 6.17, and 7.0 as shipped by Canonical. Because SAUCE patches are Ubuntu-proprietary, this bug does not affect upstream or other distribution kernels.
RemediationAI
Apply the upstream fix commit available in the Ubuntu kernel noble branch at https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=8d858ecb7e2e216ca2987302a04c266f2355fefe. This is a source-level commit fix; an exact released kernel package version incorporating this fix has not been independently confirmed from the available data, so monitor Ubuntu Security Notices (USN) for a corresponding kernel package update for Ubuntu 24.04 LTS. As a compensating control prior to patching, administrators can restrict access to AppArmor notification features by limiting which users or processes can interact with AppArmor's notify socket (e.g., via namespace isolation or seccomp profiles), though this may break applications relying on AppArmor userspace notification policies. On systems where AppArmor notify functionality is not required, disabling the notify feature reduces attack surface with no operational impact to standard AppArmor policy enforcement.
Same weakness CWE-401 – Memory Leak
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32981
GHSA-rpqm-wqwm-759w