CVE-2026-46055

Source
https://cve.org/CVERecord?id=CVE-2026-46055
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46055.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46055
Downstream
Related
Published
2026-05-27T12:57:13.671Z
Modified
2026-07-08T08:13:32.797749666Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
apparmor: Fix string overrun due to missing termination
Details

In the Linux kernel, the following vulnerability has been resolved:

apparmor: Fix string overrun due to missing termination

When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm Snapdragon X1 we see a string buffer overrun:

BUG: KASAN: slab-out-of-bounds in aadfamatch (security/apparmor/match.c:535) Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120

CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025 Call trace: showstack (arch/arm64/kernel/stacktrace.c:501) (C) dumpstacklvl (lib/dumpstack.c:122) printreport (mm/kasan/report.c:379 mm/kasan/report.c:482) kasanreport (mm/kasan/report.c:597) __asanreportload1_noabort (mm/kasan/reportgeneric.c:378) aadfamatch (security/apparmor/match.c:535) matchmntpathstr (security/apparmor/mount.c:244 security/apparmor/mount.c:336) matchmnt (security/apparmor/mount.c:371) aabindmount (security/apparmor/mount.c:447 (discriminator 4)) apparmorsbmount (security/apparmor/lsm.c:719 (discriminator 1)) securitysbmount (security/security.c:1062 (discriminator 31)) pathmount (fs/namespace.c:4101) __arm64sysmount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invokesyscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0svccommon.constprop.0 (./include/linux/threadinfo.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) doel0svc (arch/arm64/kernel/syscall.c:152) el0svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t64synchandler (arch/arm64/kernel/entry-common.c:744) el0t64sync (arch/arm64/kernel/entry.S:596)

Allocated by task 2120: kasansavestack (mm/kasan/common.c:58) kasansavetrack (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79) kasansavealloc_info (mm/kasan/generic.c:571) __kasan_kmalloc (mm/kasan/common.c:419) __kmallocnoprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272) aagetbuffer (security/apparmor/lsm.c:2201) aabindmount (security/apparmor/mount.c:442) apparmorsbmount (security/apparmor/lsm.c:719 (discriminator 1)) securitysbmount (security/security.c:1062 (discriminator 31)) pathmount (fs/namespace.c:4101) __arm64sysmount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invokesyscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0svccommon.constprop.0 (./include/linux/threadinfo.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) doel0svc (arch/arm64/kernel/syscall.c:152) el0svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t64synchandler (arch/arm64/kernel/entry-common.c:744) el0t64sync (arch/arm64/kernel/entry.S:596)

The buggy address belongs to the object at ffff0008901ca000 which belongs to the cache kmalloc-rnd-06-8k of size 8192 The buggy address is located 0 bytes to the right of allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000)

The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8 head: order:3 mapcount:0 entiremapcount:0 nrpagesmapped:-1 pincount:0 flags: 0x8000000000000040(head|zone=2) pagetype: f5(slab) raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008 ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46055.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
93d4dbdc8da0b8a3ba86f4a08868084f8da872e1
Fixed
4b877ef27adc8ec187b0418629169856e7264e01
Fixed
828bf7929bedcb79b560b5b4e44f22abee07d31b

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46055.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46055.json"