{"id":"CVE-2026-46055","summary":"apparmor: Fix string overrun due to missing termination","details":"In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix string overrun due to missing termination\n\nWhen booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm\nSnapdragon X1 we see a string buffer overrun:\n\nBUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535)\nRead of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120\n\nCPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY\nHardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025\nCall trace:\nshow_stack (arch/arm64/kernel/stacktrace.c:501) (C)\ndump_stack_lvl (lib/dump_stack.c:122)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\nkasan_report (mm/kasan/report.c:597)\n__asan_report_load1_noabort (mm/kasan/report_generic.c:378)\naa_dfa_match (security/apparmor/match.c:535)\nmatch_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336)\nmatch_mnt (security/apparmor/mount.c:371)\naa_bind_mount (security/apparmor/mount.c:447 (discriminator 4))\napparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))\nsecurity_sb_mount (security/security.c:1062 (discriminator 31))\npath_mount (fs/namespace.c:4101)\n__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)\ninvoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)\nel0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))\ndo_el0_svc (arch/arm64/kernel/syscall.c:152)\nel0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)\nel0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)\nel0t_64_sync (arch/arm64/kernel/entry.S:596)\n\nAllocated by task 2120:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79)\nkasan_save_alloc_info (mm/kasan/generic.c:571)\n__kasan_kmalloc (mm/kasan/common.c:419)\n__kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272)\naa_get_buffer (security/apparmor/lsm.c:2201)\naa_bind_mount (security/apparmor/mount.c:442)\napparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))\nsecurity_sb_mount (security/security.c:1062 (discriminator 31))\npath_mount (fs/namespace.c:4101)\n__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)\ninvoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)\nel0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))\ndo_el0_svc (arch/arm64/kernel/syscall.c:152)\nel0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)\nel0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)\nel0t_64_sync (arch/arm64/kernel/entry.S:596)\n\nThe buggy address belongs to the object at ffff0008901ca000\nwhich belongs to the cache kmalloc-rnd-06-8k of size 8192\nThe buggy address is located 0 bytes to the right of\nallocated 8192-byte region [ffff0008901ca000, ffff0008901cc000)\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0\nflags: 0x8000000000000040(head|zone=2)\npage_type: f5(slab)\nraw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70\nraw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000\nhead: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70\nhead: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000\nhead: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\nffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nffff0008\n---truncated---","modified":"2026-07-08T08:13:32.797749666Z","published":"2026-05-27T12:57:13.671Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46055.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4b877ef27adc8ec187b0418629169856e7264e01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/828bf7929bedcb79b560b5b4e44f22abee07d31b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46055.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46055"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"93d4dbdc8da0b8a3ba86f4a08868084f8da872e1"},{"fixed":"4b877ef27adc8ec187b0418629169856e7264e01"},{"fixed":"828bf7929bedcb79b560b5b4e44f22abee07d31b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46055.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.0.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46055.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}]}