Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.
AnalysisAI
Out-of-bounds heap read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 stems from AppArmor SAUCE patches miscomputing an internal buffer size during notification handling, allowing an unprivileged local user to feed invalid data into the AppArmor DFA policy engine. The flaw carries a CVSS 7.8 (high) and currently has no public exploit identified at time of analysis, though Canonical has shipped an upstream kernel fix. Impact is limited to local attackers but high-severity given full CIA impact in the CVSS vector.
Technical ContextAI
AppArmor is a Linux Security Module (LSM) used by Ubuntu to enforce mandatory access control via profile-based policies compiled into a deterministic finite automaton (DFA). Canonical maintains downstream-only 'SAUCE' patches that add functionality such as kernel-userspace notifications for policy decisions. This vulnerability (CWE-125, out-of-bounds read) lives in the notification-handling code path of those SAUCE patches, where an incorrect size calculation for an internal buffer permits reads past its allocated region. The corrupt data is then handed to the DFA policy engine, which is the core matcher AppArmor uses to evaluate access requests against compiled profiles. CPE data confirms the affected product is cpe:2.3:a:canonical:ubuntu_linux across kernel series 6.8 (Noble), 6.17, and 7.0.
RemediationAI
Upstream fix available (commit 635fa30ed9e944bdb7e811fb8a8906286b4b4f06 in the Ubuntu Noble linux git tree); released patched version not independently confirmed from the provided data, so apt-get update && apt-get install linux-image-generic (or the appropriate flavor) once Canonical publishes the corresponding USN is the primary remediation, followed by a reboot to load the patched kernel. The fix reference is https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=635fa30ed9e944bdb7e811fb8a8906286b4b4f06 - track Canonical's USN portal for the exact released package version per release. As a compensating control until patched, restrict who can interact with AppArmor notifications by limiting local shell access on multi-tenant systems and avoiding userspace mediation tooling such as snapd-confine or aa-notify on untrusted accounts (side effect: breaks any tooling that relies on userspace AppArmor prompts); disabling AppArmor entirely (apparmor=0 on the kernel command line) closes the code path but removes all MAC protection and is strongly discouraged on production hosts.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32988
GHSA-79jw-477r-jj6f