CVE-2026-45884
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the AppArmor module where the per-CPU counter in aa_get_buffer can underflow. When the hold counter reaches zero while count is non-zero, it wraps to UINT_MAX, preventing buffer return to the global list and causing starvation on other CPUs and excessive memory allocations.
Risk Assessment
The organization may experience significant system performance degradation due to per-CPU buffer exhaustion, forcing frequent memory allocations and potentially leading to denial of service (DoS) in environments with heavy AppArmor usage.
Recommendation
Immediately update the Linux kernel to a version containing the fix that prevents the hold counter underflow in the aa_get_buffer function.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid per-cpu hold underflow in aa_get_buffer When aa_get_buffer() pulls from the per-cpu list it unconditionally decrements cache->hold. If hold reaches 0 while count is still non-zero, the unsigned decrement wraps to UINT_MAX. This keeps hold non-zero for a very long time, so aa_put_buffer() never returns buffers to the global list, which can starve other CPUs and force repeated kmalloc(aa_g_path_max) allocations. Guard the decrement so hold never underflows.

