In the Linux kernel, the following vulnerability has been resolved:
apparmor: validate DFA start states are in bounds in unpack_pdb
Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.
==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...
Reject policies with out-of-bounds start states during unpacking
to prevent the issue.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
References 9
https://git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://www.qualys.com/2026/03/10/crack-armor.txt
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03da
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5443c027ec16afa55b1b8a3e7a1ab2ea3c77767a
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5487871b2b56c19d26936ed6fdc62652b30941df
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f43eea8ae0102ea198da211ef7f5ce83725ecf19
416baaa9-dc9f-4396-8d5f-8c081fb06d67