Skip to main content

Linux Kernel EUVDEUVD-2026-32250

| CVE-2026-45966 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-g4q8-m3pw-qhvv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access only, low privilege sufficient to send SCM_RIGHTS; pure kernel crash impact means C:N/I:N and A:H, with no scope change.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 16, 2026 - 04:58 vuln.today
CVSS changed
Jun 16, 2026 - 02:52 NVD
5.5 (MEDIUM)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix NULL pointer dereference in __unix_needs_revalidation

When receiving file descriptors via SCM_RIGHTS, both the socket pointer and the socket's sk pointer can be NULL during socket setup or teardown, causing NULL pointer dereferences in __unix_needs_revalidation().

This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new __unix_needs_revalidation() function was added without proper NULL checks.

The crash manifests as: BUG: kernel NULL pointer dereference, address: 0x0000000000000018 RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0) Call Trace: apparmor_file_receive+0x42/0x80 security_file_receive+0x2e/0x50 receive_fd+0x1d/0xf0 scm_detach_fds+0xad/0x1c0

The function dereferences sock->sk->sk_family without checking if either sock or sock->sk is NULL first.

Add NULL checks for both sock and sock->sk before accessing sk_family.

AnalysisAI

NULL pointer dereference in the Linux kernel's AppArmor LSM (__unix_needs_revalidation()) allows a local low-privileged user to crash the kernel, resulting in a denial of service. Introduced as a regression in kernel 6.17 with AppArmor 5.0.0, the flaw is triggered by passing file descriptors over UNIX domain sockets via SCM_RIGHTS when the receiving socket or its sk pointer is NULL during transient setup or teardown states. No active exploitation is confirmed (absent from CISA KEV), and EPSS sits at 0.02% (4th percentile), indicating low exploitation probability; patches are available in stable releases 6.18.14, 6.19.4, and 7.0.

Technical ContextAI

The affected code is the __unix_needs_revalidation() function in the AppArmor Linux Security Module (LSM), added in Linux 6.17 as part of AppArmor 5.0.0. The function is called from apparmor_file_receive()security_file_receive()receive_fd()scm_detach_fds() when a process receives file descriptors via the SCM_RIGHTS ancillary message mechanism over UNIX domain sockets. The root cause (CWE-476, NULL Pointer Dereference) is the unconditional dereference of sock->sk->sk_family without first verifying that sock and sock->sk are non-NULL. During socket setup or teardown, both pointers legitimately pass through NULL states, making the code path crashable. The CPE string cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers the broad Linux kernel lineage, with the regression bounded to commit 88fec3526e84 (introduction) through the three fix commits (e2938ad, e85bc91, fea017a).

RemediationAI

Upgrade to a patched kernel version: 6.18.14, 6.19.4, or 7.0. Three upstream fix commits address the regression and are available via the Linux stable tree: e2938ad00b21340c0362562dfedd7cfec0554d67 (https://git.kernel.org/stable/c/e2938ad00b21340c0362562dfedd7cfec0554d67), e85bc9101afc4202aa2269967ce9d3ffbecd0994 (https://git.kernel.org/stable/c/e85bc9101afc4202aa2269967ce9d3ffbecd0994), and fea017a7f6abe179decf575a2d8464c74edb3964 (https://git.kernel.org/stable/c/fea017a7f6abe179decf575a2d8464c74edb3964). Ubuntu users should apply updates per USN-8374-1. If an immediate kernel upgrade is operationally infeasible, a compensating control is to disable AppArmor enforcement (systemctl disable apparmor && aa-teardown), though this removes all AppArmor MAC protections and should be treated as a temporary measure with significant security trade-offs. Restricting UNIX socket SCM_RIGHTS usage via seccomp policy (blocking sendmsg with ancillary data) is a more targeted workaround but may break legitimate application behavior. Vendor-released patches are confirmed available per the fix versions above.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32250 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy