Vulnerability-Lookup

SUSE-SU-2026:21399-1

Vulnerability from csaf_suse - Published: 2026-04-24 10:02 - Updated: 2026-04-24 10:02

Summary

Security update for the Linux Kernel (Live Patch 5 for SUSE Linux Enterprise 16)

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel (Live Patch 5 for SUSE Linux Enterprise 16)

Description of the patch: This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.26.1 fixes one security issue The following security issue was fixed: - CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1259859).

Patchnames: SUSE-SLES-16.0-638

CVE-2026-23268

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-updates/2026…	self
	https://bugzilla.suse.com/1259859	self
	https://www.suse.com/security/cve/CVE-2026-23268/	self
	https://www.suse.com/security/cve/CVE-2026-23268	external
	https://bugzilla.suse.com/1258850	external
	https://bugzilla.suse.com/1259859	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 5 for SUSE Linux Enterprise 16)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for the SUSE Linux Enterprise Kernel 6.12.0-160000.26.1 fixes one security issue\n\nThe following security issue was fixed:\n\n- CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1259859).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLES-16.0-638",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21399-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:21399-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621399-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:21399-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-April/046137.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1259859",
        "url": "https://bugzilla.suse.com/1259859"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-23268 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-23268/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 5 for SUSE Linux Enterprise 16)",
    "tracking": {
      "current_release_date": "2026-04-24T10:02:01Z",
      "generator": {
        "date": "2026-04-24T10:02:01Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:21399-1",
      "initial_release_date": "2026-04-24T10:02:01Z",
      "revision_history": [
        {
          "date": "2026-04-24T10:02:01Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
                "product": {
                  "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
                  "product_id": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
                "product": {
                  "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
                  "product_id": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64",
                  "product_id": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server 16.0",
                  "product_id": "SUSE Linux Enterprise Server 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le"
        },
        "product_reference": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x"
        },
        "product_reference": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64"
        },
        "product_reference": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le"
        },
        "product_reference": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x"
        },
        "product_reference": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64"
        },
        "product_reference": "kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-23268",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-23268"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix unprivileged local user can do privileged policy management\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
          "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64",
          "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
          "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-23268",
          "url": "https://www.suse.com/security/cve/CVE-2026-23268"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1258850 for CVE-2026-23268",
          "url": "https://bugzilla.suse.com/1258850"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259859 for CVE-2026-23268",
          "url": "https://bugzilla.suse.com/1259859"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64",
            "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.s390x",
            "SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_26-default-3-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-24T10:02:01Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-23268"
    }
  ]
}

CVE-2026-23268 (GCVE-0-2026-23268)

Vulnerability from cvelistv5 – Published: 2026-03-18 17:54 – Updated: 2026-04-18 08:57

Title

apparmor: fix unprivileged local user can do privileged policy management

Summary

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such access is achieved full policy management is possible and all the possible implications that implies: removing confinement, DoS of system or target applications by denying all execution, by-passing the unprivileged user namespace restriction, to exploiting kernel bugs for a local privilege escalation. The policy management interface can not have its permissions simply changed from 0666 to 0600 because non-root processes need to be able to load policy to different policy namespaces. Instead ensure the task writing the interface has privileges that are a subset of the task that opened the interface. This is already done via policy for confined processes, but unconfined can delegate access to the opened fd, by-passing the usual policy check.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a407a078cd41b5261…
	https://git.kernel.org/stable/c/4cafce4d6d0a66ec2…
	https://git.kernel.org/stable/c/33ee909702e047c94…
	https://git.kernel.org/stable/c/17debf5586020790b…
	https://git.kernel.org/stable/c/0fc63dd9170643d15…
	https://git.kernel.org/stable/c/b60b3f7a35c46b2e0…
	https://git.kernel.org/stable/c/b6a94eeca9c6c8f7c…
	https://git.kernel.org/stable/c/6601e13e828418794…
	https://www.qualys.com/2026/03/10/crack-armor.txt

Impacted products

Vendor

Product

Version

Linux

Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < a407a078cd41b5261b99d822af784bd9f136eb4d (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 4cafce4d6d0a66ec27e3af5637c11901d60189fa (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 33ee909702e047c94aaf41d4eea35626d509802c (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 17debf5586020790b5717f96e5e6a3ca5bb961ab (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 0fc63dd9170643d15c25681fca792539e23f4640 (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6 (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < b6a94eeca9c6c8f7c55ad44c62c98324f51ec596 (git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 6601e13e82841879406bf9f369032656f441a425 (git)

Linux

Affected: 4.11
Unaffected: 0 , < 4.11 (semver)
Unaffected: 5.10.253 , ≤ 5.10.* (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.169 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.18.18 , ≤ 6.18.* (semver)
Unaffected: 6.19.8 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/apparmor/apparmorfs.c",
            "security/apparmor/include/policy.h",
            "security/apparmor/policy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a407a078cd41b5261b99d822af784bd9f136eb4d",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "4cafce4d6d0a66ec27e3af5637c11901d60189fa",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "33ee909702e047c94aaf41d4eea35626d509802c",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "17debf5586020790b5717f96e5e6a3ca5bb961ab",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "0fc63dd9170643d15c25681fca792539e23f4640",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "b6a94eeca9c6c8f7c55ad44c62c98324f51ec596",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            },
            {
              "lessThan": "6601e13e82841879406bf9f369032656f441a425",
              "status": "affected",
              "version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/apparmor/apparmorfs.c",
            "security/apparmor/include/policy.h",
            "security/apparmor/policy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.169",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.169",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.18",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.8",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix unprivileged local user can do privileged policy management\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-18T08:57:28.196Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a407a078cd41b5261b99d822af784bd9f136eb4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cafce4d6d0a66ec27e3af5637c11901d60189fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/33ee909702e047c94aaf41d4eea35626d509802c"
        },
        {
          "url": "https://git.kernel.org/stable/c/17debf5586020790b5717f96e5e6a3ca5bb961ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fc63dd9170643d15c25681fca792539e23f4640"
        },
        {
          "url": "https://git.kernel.org/stable/c/b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6a94eeca9c6c8f7c55ad44c62c98324f51ec596"
        },
        {
          "url": "https://git.kernel.org/stable/c/6601e13e82841879406bf9f369032656f441a425"
        },
        {
          "url": "https://www.qualys.com/2026/03/10/crack-armor.txt"
        }
      ],
      "title": "apparmor: fix unprivileged local user can do privileged policy management",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23268",
    "datePublished": "2026-03-18T17:54:41.974Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-04-18T08:57:28.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:21399-1

CVE-2026-23268 (GCVE-0-2026-23268)

Tags

Sightings

Nomenclature