#VU124777 Resource exhaustion in Linux kernel - CVE-2026-23409
Published: April 1, 2026
Vulnerability identifier: #VU124777
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23409
CWE-ID: CWE-400
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in AppArmor's differential encoding verification when processing encoded profile data. A local user can provide a specially crafted differential-encoded profile that creates loops in the chain to cause a denial of service.
Successful exploitation requires the ability to load AppArmor profiles, which is restricted to privileged users. However, since no additional authentication beyond standard system privileges is required, the attacker capability is considered as a local user with low privileges in the context of the vulnerability.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/1ff4857fac56ac5a90ee63b24db05fa5e91a45aa
- https://git.kernel.org/stable/c/34fc60b125ed1d4eb002c76b0664bf0619492167
- https://git.kernel.org/stable/c/39440b137546a3aa383cfdabc605fb73811b6093
- https://git.kernel.org/stable/c/623a9d211bbbb031bb1cbdb38b23487648167f8a
- https://git.kernel.org/stable/c/f90e3ecd9e1ed69f1a370f866ceed1f104f3ab4a