Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects.
AnalysisAI
Out-of-bounds read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 exposes adjacent slab allocator memory to any local low-privileged user. The flaw originates in Canonical's Ubuntu-specific AppArmor SAUCE patches, which incorrectly validate the size of an internal structure during notification handling, enabling controlled reads past the intended memory boundary. No public exploit identified at time of analysis, and exploitation is strictly local; however, C:H in the CVSS vector confirms that successful exploitation can yield high-sensitivity kernel or cross-process data from slab neighbors.
Technical ContextAI
The vulnerable code resides in Ubuntu-specific AppArmor 'SAUCE' patches - downstream kernel modifications maintained by Canonical and not present in upstream Linux. CWE-125 (Out-of-Bounds Read) is the root cause class: a size validation check on an internal AppArmor structure is performed incorrectly, allowing the notification handling code path to read beyond its allocated slab object into adjacent kernel memory. Linux slab allocators (SLUB/SLAB) pack objects contiguously, so an out-of-bounds read can leak data from neighboring objects belonging to any kernel subsystem or user process. The CPE cpe:2.3:a:canonical:ubuntu_linux:*:*:*:*:*:*:*:* confirms this is a Canonical-maintained artifact, not an upstream kernel defect. The tags note 'Buffer Overflow' alongside 'Information Disclosure', but the CVSS vector (I:N/A:N) and CWE-125 classification confirm this is a read-only overread, not a write primitive.
RemediationAI
Apply the vendor-supplied fix available as Launchpad commit 0418e5f61b55465f19245705bce6590c807fc9f2 in the Ubuntu noble kernel git repository (https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=0418e5f61b55465f19245705bce6590c807fc9f2). Patch availability is confirmed per vendor (Canonical), but an exact released package version (e.g., linux-image-X.X.X-XX) is not independently confirmed from available data - monitor Ubuntu Security Notices (USN) for the official patched kernel package corresponding to your Ubuntu release. As a compensating control prior to patching, restrict local shell access to trusted users on affected systems, since exploitation requires local authenticated access (AV:L/PR:L); this does not eliminate the vulnerability but substantially limits the attacker pool. Disabling AppArmor notification functionality may serve as an additional workaround if operationally feasible, though this would degrade AppArmor policy enforcement capability and should be evaluated against the security trade-off.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32987
GHSA-4hmr-4vjc-3rg2