CVE Catalog

CVE-2026-45884

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile - higher than 5% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found in the AppArmor module where the per-CPU counter in aa_get_buffer can underflow. When the hold counter reaches zero while count is non-zero, it wraps to UINT_MAX, preventing buffer return to the global list and causing starvation on other CPUs and excessive memory allocations.

Risk Assessment

The organization may experience significant system performance degradation due to per-CPU buffer exhaustion, forcing frequent memory allocations and potentially leading to denial of service (DoS) in environments with heavy AppArmor usage.

Recommendation

Immediately update the Linux kernel to a version containing the fix that prevents the hold counter underflow in the aa_get_buffer function.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid per-cpu hold underflow in aa_get_buffer When aa_get_buffer() pulls from the per-cpu list it unconditionally decrements cache->hold. If hold reaches 0 while count is still non-zero, the unsigned decrement wraps to UINT_MAX. This keeps hold non-zero for a very long time, so aa_put_buffer() never returns buffers to the global list, which can starve other CPUs and force repeated kmalloc(aa_g_path_max) allocations. Guard the decrement so hold never underflows.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS