Skip to main content

Ubuntu Linux Kernel EUVDEUVD-2026-32986

| CVE-2026-47331 HIGH
Use After Free (CWE-416)
2026-05-28 canonical GHSA-2qg4-q443-hfg6
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 19:21 vuln.today
CVE Published
May 28, 2026 - 18:28 nvd
HIGH 7.8

DescriptionCVE.org

Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution.

AnalysisAI

Local privilege escalation in Ubuntu Linux 6.8 kernel stems from an AppArmor SAUCE patch that omits proper locking when modifying a linked list, enabling a race condition that can be exploited by an unprivileged local user. Successful exploitation leads to a use-after-free condition with theoretical arbitrary code execution in kernel context. No public exploit identified at time of analysis, and the issue is not present on the CISA KEV list.

Technical ContextAI

The flaw resides in Canonical's downstream 'SAUCE' (Stable Release Updates patches that are Ubuntu-specific Concrete Enhancements) modifications to AppArmor, the Linux Security Module that mediates capability and resource access on Ubuntu systems. The defect class is CWE-416 (Use After Free): a linked-list mutation is performed without holding the required lock, so a concurrent thread can free or unlink a node while another reference is still live, leaving a dangling pointer that the kernel later dereferences. According to the supplied CPE, the affected product is cpe:2.3:a:canonical:ubuntu_linux, specifically the 6.8 kernel series used by Ubuntu 24.04 'Noble Numbat' as referenced by the launchpad patch URL.

RemediationAI

Upstream fix available (commit 5e5cd4759b63363373faf1ce15d1cab3606d6ec8 in the Ubuntu noble kernel tree); a released patched version is reported available from the vendor but the exact Ubuntu kernel package version is not enumerated in the provided data, so administrators should consult the Ubuntu Security Notice index and apply the latest linux-image-generic update for Noble (6.8) via 'apt update && apt upgrade' followed by a reboot. The patch URL is https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=5e5cd4759b63363373faf1ce15d1cab3606d6ec8. As a compensating control on hosts that cannot be promptly rebooted, restrict local shell access to trusted users (the bug requires an unprivileged local account), disable creation of unprivileged user namespaces via sysctl kernel.unprivileged_userns_clone=0 to reduce kernel attack surface (note: this can break container tools such as rootless Podman, snap confinement, and Chromium sandboxing), and consider temporarily disabling the AppArmor LSM via 'aa-teardown' or kernel parameter apparmor=0 to remove the vulnerable code path entirely (note: this disables all AppArmor profile enforcement and significantly weakens the system's default MAC posture, so it is only appropriate as a short-term measure on tightly controlled hosts).

Share

EUVD-2026-32986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy