Vulnerability-Lookup

SUSE-SU-2026:1532-1

Vulnerability from csaf_suse - Published: 2026-04-21 12:04 - Updated: 2026-04-21 12:04

Summary

Security update for the Linux Kernel (Live Patch 1 for SUSE Linux Enterprise 15 SP7)

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel (Live Patch 1 for SUSE Linux Enterprise 15 SP7)

Description of the patch: This update for the SUSE Linux Enterprise Kernel 6.4.0-150700.53.3 fixes various security issues The following security issues were fixed: - CVE-2025-40309: Bluetooth: SCO: Fix UAF on sco_conn_free (bsc#1255066). - CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1259859).

Patchnames: SUSE-2026-1532,SUSE-SLE-Module-Live-Patching-15-SP7-2026-1532

CVE-2025-40309

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-23268

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-updates/2026…	self
	https://bugzilla.suse.com/1255066	self
	https://bugzilla.suse.com/1259859	self
	https://www.suse.com/security/cve/CVE-2025-40309/	self
	https://www.suse.com/security/cve/CVE-2026-23268/	self
	https://www.suse.com/security/cve/CVE-2025-40309	external
	https://bugzilla.suse.com/1255065	external
	https://bugzilla.suse.com/1255066	external
	https://www.suse.com/security/cve/CVE-2026-23268	external
	https://bugzilla.suse.com/1258850	external
	https://bugzilla.suse.com/1259859	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 1 for SUSE Linux Enterprise 15 SP7)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for the SUSE Linux Enterprise Kernel 6.4.0-150700.53.3 fixes various security issues\n\nThe following security issues were fixed:\n\n- CVE-2025-40309: Bluetooth: SCO: Fix UAF on sco_conn_free (bsc#1255066).\n- CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1259859).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-1532,SUSE-SLE-Module-Live-Patching-15-SP7-2026-1532",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1532-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:1532-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261532-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:1532-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045845.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255066",
        "url": "https://bugzilla.suse.com/1255066"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1259859",
        "url": "https://bugzilla.suse.com/1259859"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-40309 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-40309/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-23268 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-23268/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 1 for SUSE Linux Enterprise 15 SP7)",
    "tracking": {
      "current_release_date": "2026-04-21T12:04:58Z",
      "generator": {
        "date": "2026-04-21T12:04:58Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:1532-1",
      "initial_release_date": "2026-04-21T12:04:58Z",
      "revision_history": [
        {
          "date": "2026-04-21T12:04:58Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.2.ppc64le",
                "product": {
                  "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.2.ppc64le",
                  "product_id": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le",
                "product": {
                  "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le",
                  "product_id": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.2.s390x",
                "product": {
                  "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.2.s390x",
                  "product_id": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x",
                "product": {
                  "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x",
                  "product_id": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.2.x86_64",
                "product": {
                  "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.2.x86_64",
                  "product_id": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64",
                  "product_id": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 15 SP7",
                  "product_id": "SUSE Linux Enterprise Live Patching 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-live-patching:15:sp7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP7",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le"
        },
        "product_reference": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP7",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x"
        },
        "product_reference": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP7",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64"
        },
        "product_reference": "kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-40309",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-40309"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_conn_free\n\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\nnet/bluetooth/sco.c:107\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\n\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci13 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x191/0x550 mm/kasan/report.c:482\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\n sco_conn_free net/bluetooth/sco.c:87 [inline]\n kref_put include/linux/kref.h:65 [inline]\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\n kthread+0x3c7/0x870 kernel/kthread.c:463\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 31370:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4382 [inline]\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\n __sock_create+0x3ad/0x780 net/socket.c:1589\n sock_create net/socket.c:1647 [inline]\n __sys_socket_create net/socket.c:1684 [inline]\n __sys_socket+0xd5/0x330 net/socket.c:1731\n __do_sys_socket net/socket.c:1745 [inline]\n __se_sys_socket net/socket.c:1743 [inline]\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 31374:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2428 [inline]\n slab_free mm/slub.c:4701 [inline]\n kfree+0x199/0x3b0 mm/slub.c:4900\n sk_prot_free net/core/sock.c:2278 [inline]\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\n __sock_release net/socket.c:649 [inline]\n sock_close+0xb8/0x230 net/socket.c:1439\n __fput+0x3d1/0x9e0 fs/file_table.c:468\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\n get_signal+0x1201/0x1410 kernel/signal.c:2807\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n s\n---truncated---",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-40309",
          "url": "https://www.suse.com/security/cve/CVE-2025-40309"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255065 for CVE-2025-40309",
          "url": "https://bugzilla.suse.com/1255065"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255066 for CVE-2025-40309",
          "url": "https://bugzilla.suse.com/1255066"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T12:04:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-40309"
    },
    {
      "cve": "CVE-2026-23268",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-23268"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix unprivileged local user can do privileged policy management\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-23268",
          "url": "https://www.suse.com/security/cve/CVE-2026-23268"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1258850 for CVE-2026-23268",
          "url": "https://bugzilla.suse.com/1258850"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259859 for CVE-2026-23268",
          "url": "https://bugzilla.suse.com/1259859"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_53_3-default-14-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T12:04:58Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-23268"
    }
  ]
}

CVE-2026-23268 (GCVE-0-2026-23268)

Vulnerability from cvelistv5 – Published: 2026-03-18 17:54 – Updated: 2026-04-18 08:57

Title

apparmor: fix unprivileged local user can do privileged policy management

Summary

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such access is achieved full policy management is possible and all the possible implications that implies: removing confinement, DoS of system or target applications by denying all execution, by-passing the unprivileged user namespace restriction, to exploiting kernel bugs for a local privilege escalation. The policy management interface can not have its permissions simply changed from 0666 to 0600 because non-root processes need to be able to load policy to different policy namespaces. Instead ensure the task writing the interface has privileges that are a subset of the task that opened the interface. This is already done via policy for confined processes, but unconfined can delegate access to the opened fd, by-passing the usual policy check.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a407a078cd41b5261…
	https://git.kernel.org/stable/c/4cafce4d6d0a66ec2…
	https://git.kernel.org/stable/c/33ee909702e047c94…
	https://git.kernel.org/stable/c/17debf5586020790b…
	https://git.kernel.org/stable/c/0fc63dd9170643d15…
	https://git.kernel.org/stable/c/b60b3f7a35c46b2e0…
	https://git.kernel.org/stable/c/b6a94eeca9c6c8f7c…
	https://git.kernel.org/stable/c/6601e13e828418794…
	https://www.qualys.com/2026/03/10/crack-armor.txt

Impacted products

Vendor

Product

Version

Linux

Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < a407a078cd41b5261b99d822af784bd9f136eb4d (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 4cafce4d6d0a66ec27e3af5637c11901d60189fa (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 33ee909702e047c94aaf41d4eea35626d509802c (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 17debf5586020790b5717f96e5e6a3ca5bb961ab (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 0fc63dd9170643d15c25681fca792539e23f4640 (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6 (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < b6a94eeca9c6c8f7c55ad44c62c98324f51ec596 (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 6601e13e82841879406bf9f369032656f441a425 (git)

Linux

Affected: 4.11
Unaffected: 0 , < 4.11 (semver)
Unaffected: 5.10.253 , ≤ 5.10.* (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.169 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.18.18 , ≤ 6.18.* (semver)
Unaffected: 6.19.8 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/apparmor/apparmorfs.c",
            "security/apparmor/include/policy.h",
            "security/apparmor/policy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a407a078cd41b5261b99d822af784bd9f136eb4d",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "4cafce4d6d0a66ec27e3af5637c11901d60189fa",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "33ee909702e047c94aaf41d4eea35626d509802c",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "17debf5586020790b5717f96e5e6a3ca5bb961ab",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "0fc63dd9170643d15c25681fca792539e23f4640",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "b6a94eeca9c6c8f7c55ad44c62c98324f51ec596",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "6601e13e82841879406bf9f369032656f441a425",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/apparmor/apparmorfs.c",
            "security/apparmor/include/policy.h",
            "security/apparmor/policy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.169",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.169",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.18",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.8",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix unprivileged local user can do privileged policy management\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-18T08:57:28.196Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a407a078cd41b5261b99d822af784bd9f136eb4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cafce4d6d0a66ec27e3af5637c11901d60189fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/33ee909702e047c94aaf41d4eea35626d509802c"
        },
        {
          "url": "https://git.kernel.org/stable/c/17debf5586020790b5717f96e5e6a3ca5bb961ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fc63dd9170643d15c25681fca792539e23f4640"
        },
        {
          "url": "https://git.kernel.org/stable/c/b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6a94eeca9c6c8f7c55ad44c62c98324f51ec596"
        },
        {
          "url": "https://git.kernel.org/stable/c/6601e13e82841879406bf9f369032656f441a425"
        },
        {
          "url": "https://www.qualys.com/2026/03/10/crack-armor.txt"
        }
      ],
      "title": "apparmor: fix unprivileged local user can do privileged policy management",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23268",
    "datePublished": "2026-03-18T17:54:41.974Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-04-18T08:57:28.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40309 (GCVE-0-2025-40309)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33

Title

Bluetooth: SCO: Fix UAF on sco_conn_free

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:1532-1

CVE-2026-23268 (GCVE-0-2026-23268)

CVE-2025-40309 (GCVE-0-2025-40309)

Tags

Sightings

Nomenclature