CVE-2026-46055 Overview
CVE-2026-46055 is an out-of-bounds read vulnerability in the Linux kernel's AppArmor Linux Security Module (LSM). The flaw resides in the aa_dfa_match function within security/apparmor/match.c and is triggered by a missing string termination during mount path matching. Kernel Address Sanitizer (KASAN) detected the slab-out-of-bounds read when booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm Snapdragon X1 system. The defect is reachable through the mount() system call path, where aa_bind_mount passes an unterminated buffer to the deterministic finite automaton (DFA) matcher.
Critical Impact
An unprivileged local process invoking mount() can trigger a kernel out-of-bounds read inside the AppArmor matcher, potentially leading to kernel memory disclosure or denial of service.
Affected Products
- Linux kernel (mainline, including 7.0-rc4)
- Distributions enabling AppArmor LSM (observed on Ubuntu 26.04)
- ARM64 platforms confirmed affected (Qualcomm Snapdragon X1 reproduction case)
Discovery Timeline
- 2026-05-27 - CVE-2026-46055 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46055
Vulnerability Analysis
The vulnerability is an out-of-bounds read in the AppArmor mount mediation code. When aa_bind_mount calls aa_get_buffer to allocate an 8192-byte kmalloc region, the resulting string passed to match_mnt_path_str and match_mnt is not properly NUL-terminated. The DFA matcher aa_dfa_match at line 535 walks bytes until a terminator, reading one byte past the allocated 8192-byte region. KASAN flagged the access as a slab-out-of-bounds read of size 1 immediately to the right of the allocated buffer at [ffff0008901ca000, ffff0008901cc000).
Root Cause
The root cause is missing string termination on a buffer used during AppArmor mount policy evaluation. The buffer returned by aa_get_buffer in security/apparmor/lsm.c is populated with path data, but a terminator is not guaranteed before the buffer reaches aa_dfa_match. The matcher iterates byte by byte and dereferences memory beyond the allocation boundary when no in-buffer terminator is present.
Attack Vector
The vulnerability is reached through the __arm64_sys_mount syscall path: path_mount → security_sb_mount → apparmor_sb_mount → aa_bind_mount → match_mnt → match_mnt_path_str → aa_dfa_match. A local user with the ability to invoke mount() (for example, through unprivileged user namespaces or snap-update-ns as in the original report) can craft path inputs that trigger the unterminated read. The result is kernel memory read past a slab object, which can leak adjacent heap contents or destabilize the kernel.
No verified public exploit code is available for this issue. See the upstream commits referenced under Patch Information for the precise source-level fix.
Detection Methods for CVE-2026-46055
Indicators of Compromise
- KASAN reports referencing slab-out-of-bounds in aa_dfa_match in kernel logs (dmesg, /var/log/kern.log).
- Unexpected oops or panic backtraces containing aa_bind_mount, match_mnt_path_str, or apparmor_sb_mount.
- Repeated mount syscall failures from non-root processes such as snap-update-ns or container runtimes.
Detection Strategies
- Enable CONFIG_KASAN on test or canary kernels to surface the out-of-bounds read at runtime.
- Audit mount syscalls via auditd rules on arch=b64 with syscall=mount to correlate user activity with kernel warnings.
- Monitor for kernel taint flag changes and slab corruption messages in centralized log pipelines.
Monitoring Recommendations
- Forward kernel logs from Linux endpoints to a SIEM or data lake and alert on AppArmor or KASAN keywords.
- Track installed kernel versions across the fleet and flag hosts still running pre-patch builds of Linux 7.0-rc.
- Watch for abnormal use of unprivileged user namespaces, which broaden the population of users that can invoke mount().
How to Mitigate CVE-2026-46055
Immediate Actions Required
- Apply the upstream AppArmor termination fix to all affected kernels and rebuild.
- Prioritize ARM64 hosts and systems running development or release-candidate kernels where the issue was reproduced.
- Restrict unprivileged user namespace creation where operationally feasible to reduce reachable mount surface.
Patch Information
The Linux kernel maintainers resolved the issue by ensuring the buffer passed to aa_dfa_match is properly terminated. Refer to the upstream commits: Kernel Git Commit 4b877ef27adc and Kernel Git Commit 828bf7929bed. Distribution-specific backports should be tracked through vendor security trackers.
Workarounds
- Disable the AppArmor LSM at boot via apparmor=0 on kernels where patching is not yet possible, accepting the loss of AppArmor mediation.
- Limit CAP_SYS_ADMIN and unprivileged user namespaces using sysctl kernel.unprivileged_userns_clone=0 on supported distributions.
- Constrain container runtimes and tools such as snap-update-ns to trusted users until the patched kernel is deployed.
# Disable unprivileged user namespaces to reduce mount syscall exposure
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' | sudo tee /etc/sysctl.d/99-cve-2026-46055.conf
# Verify running kernel version against patched builds
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
