CVE-2026-23405

MEDIUM

apparmor: fix: limit the number of levels of policy namespaces

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix: limit the number of levels of policy namespaces Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces.

Scores

CVSS v3 5.5
EPSS 0.0018
EPSS Percentile 7.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (29)
linux/Kernel 2.6.36 - 5.10.253linux
linux/Kernel 5.11.0 - 5.15.203linux
linux/Kernel 5.16.0 - 6.1.169linux
linux/Kernel 6.13.0 - 6.18.18linux
linux/Kernel 6.19.0 - 6.19.8linux
linux/Kernel 6.2.0 - 6.6.130linux
linux/Kernel 6.7.0 - 6.12.77linux
Linux/Linux < 2.6.36
Linux/Linux 2.6.36
Linux/Linux 5.10.253 - 5.10.*
... and 19 more
Published Apr 01, 2026
Tracked Since Apr 01, 2026