MEDIUM 5.5

CVE-2026-46254: Linux AppArmor DFA Alignment Vulnerability (CVSS 5.5 MEDIUM)

A vulnerability in the Linux kernel's AppArmor security module can cause system crashes or hangs when AppArmor processes policy rules containing improperly aligned data structures. The kernel's DFA (Deterministic Finite Automaton) tables used by AppArmor to enforce security policies may originate from either kernel memory or user-supplied configuration, and when these tables aren't properly aligned to 8-byte boundaries, certain CPU architectures trigger unaligned memory access errors. This is a denial-of-service issue—an unprivileged user with the ability to load or modify AppArmor policies could crash the kernel without data loss or privilege escalation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: AppArmor: Allow apparmor to handle unaligned dfa tables The dfa tables can originate from kernel or userspace and 8-byte alignment isn't always guaranteed and as such may trigger unaligned memory accesses on various architectures. Resulting in the following [   73.901376] WARNING: CPU: 0 PID: 341 at security/apparmor/match.c:316 aa_dfa_unpack+0x6cc/0x720 [   74.015867] Modules linked in: binfmt_misc evdev flash sg drm drm_panel_orientation_quirks backlight i2c_core configfs nfnetlink autofs4 ext4 crc16 mbcache jbd2 hid_generic usbhid sr_mod hid cdrom sd_mod ata_generic ohci_pci ehci_pci ehci_hcd ohci_hcd pata_ali libata sym53c8xx scsi_transport_spi tg3 scsi_mod usbcore libphy scsi_common mdio_bus usb_common [   74.428977] CPU: 0 UID: 0 PID: 341 Comm: apparmor_parser Not tainted 6.18.0-rc6+ #9 NONE [   74.536543] Call Trace: [   74.568561] [<0000000000434c24>] dump_stack+0x8/0x18 [   74.633757] [<0000000000476438>] __warn+0xd8/0x100 [   74.696664] [<00000000004296d4>] warn_slowpath_fmt+0x34/0x74 [   74.771006] [<00000000008db28c>] aa_dfa_unpack+0x6cc/0x720 [   74.843062] [<00000000008e643c>] unpack_pdb+0xbc/0x7e0 [   74.910545] [<00000000008e7740>] unpack_profile+0xbe0/0x1300 [   74.984888] [<00000000008e82e0>] aa_unpack+0xe0/0x6a0 [   75.051226] [<00000000008e3ec4>] aa_replace_profiles+0x64/0x1160 [   75.130144] [<00000000008d4d90>] policy_update+0xf0/0x280 [   75.201057] [<00000000008d4fc8>] profile_replace+0xa8/0x100 [   75.274258] [<0000000000766bd0>] vfs_write+0x90/0x420 [   75.340594] [<00000000007670cc>] ksys_write+0x4c/0xe0 [   75.406932] [<0000000000767174>] sys_write+0x14/0x40 [   75.472126] [<0000000000406174>] linux_sparc_syscall+0x34/0x44 [   75.548802] ---[ end trace 0000000000000000 ]--- [   75.609503] dfa blob stream 0xfff0000008926b96 not aligned. [   75.682695] Kernel unaligned access at TPC[8db2a8] aa_dfa_unpack+0x6e8/0x720 Work around it by using the get_unaligned_xx() helpers.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The AppArmor security subsystem relies on DFA tables for policy matching and enforcement. These tables can be supplied from userspace (via policy loading tools like apparmor_parser) or originate from the kernel. The vulnerability arises because the kernel code in security/apparmor/match.c assumes 8-byte alignment of these DFA blobs but does not enforce or validate this constraint. On architectures with strict alignment requirements (notably SPARC, as shown in the kernel trace), dereferencing misaligned pointers triggers CPU exceptions. The fix implements get_unaligned_xx() accessor functions when reading DFA table data, allowing the kernel to safely extract values from memory regions that may not meet alignment assumptions. This is a robustness improvement rather than a true memory safety bug—the data itself is valid, but the access pattern was architecturally unsafe.

Business impact

Availability risk to systems running AppArmor-enforced security policies. An authenticated local user or container/namespace-confined process permitted to trigger policy reloads could induce kernel panics, disrupting service availability. In containerized or multi-tenant environments where unprivileged users can update security profiles, this becomes more exploitable. The impact is limited to denial of service; no privilege escalation or data exfiltration is possible. Organizations relying on AppArmor in high-availability clusters or on SPARC or other alignment-strict architectures face higher operational risk.

Affected systems

Linux kernel versions running AppArmor (typically RHEL/CentOS 8+, Ubuntu, SUSE, and other distributions with AppArmor enabled). The vulnerability manifests most acutely on architectures with strict alignment requirements: SPARC is explicitly mentioned in the kernel trace; ARM64, PowerPC, and other RISC architectures may also be affected. x86-64 systems tolerate unaligned accesses in hardware, so impact there may be reduced or latent. Embedded Linux systems and security-hardened deployments using AppArmor are particularly relevant. Verify your distribution's kernel version and AppArmor enablement status.

Exploitability

Exploitability requires local access and the ability to trigger AppArmor policy loading or reloading. This typically requires root or CAP_MAC_ADMIN capability, but in containerized environments or systems with delegated policy management, unprivileged users may have this permission. The trigger is straightforward—loading a malformed or unaligned policy blob via apparmor_parser or similar userspace tools—and does not require specialized knowledge or race conditions. However, the overall attack surface is limited to local, authenticated vectors. Remote exploitation is not feasible. CVSS 5.5 (MEDIUM) reflects availability impact only, no privilege escalation or confidentiality risk.

Remediation

Apply a kernel patch that updates the DFA unpacking code in security/apparmor/match.c to use get_unaligned_xx() helpers when reading DFA table fields. This ensures safe access on all architectures regardless of alignment. Verify availability and version information from your Linux distribution vendor's security advisory. Until patched, restrict access to AppArmor policy management (apparmor_parser, policy reloading) to trusted, privileged users and avoid loading policies from untrusted sources. Disable AppArmor if it is not required for your security posture.

Patch guidance

Consult your distribution's security advisories for patched kernel versions (Red Hat, Canonical, SUSE, etc.). The upstream Linux kernel fix implements unaligned access helpers in the AppArmor match.c module. Verify the specific kernel version numbers from your vendor before deployment. Testing on non-production AppArmor-enforced systems is recommended to ensure policy loading continues to work correctly after patching. If you maintain custom AppArmor policies, ensure they are reloaded and validated post-patch.

Detection guidance

Monitor kernel logs for unaligned access warnings or exceptions in security/apparmor/match.c (e.g., 'dfa blob stream ... not aligned' messages or 'Kernel unaligned access at TPC[...]'). On systems with AppArmor enabled, enable kernel logging of alignment faults via architecture-specific debug flags if available. Baseline normal policy loading behavior so that crashes during policy updates stand out. In container/orchestration environments, watch for pod evictions or node-level kernel panics that correlate with AppArmor policy changes. Audit access to apparmor_parser and policy directories to identify potential malicious or accidental policy injections.

Why prioritize this

MEDIUM severity with availability impact only warrants prompt but not emergency patching for most organizations. However, prioritize systems running AppArmor on alignment-strict architectures (SPARC, ARM64), containerized multi-tenant deployments where unprivileged users can influence policies, and high-availability clusters where crash availability translates to service disruption. If AppArmor is non-essential to your security posture, consider disabling it to reduce surface area. General Linux deployments on x86-64 with restricted policy management face lower operational risk but should still be patched during routine maintenance windows.

Risk score, explained

CVSS 5.5 (MEDIUM) reflects a localized denial-of-service impact via unaligned memory access. Attack vector is Local, attack complexity is Low (standard policy loading), privilege requirement is Low (CAP_MAC_ADMIN or equivalent), user interaction is None, scope is Unchanged, and impact is high Availability but no Confidentiality or Integrity loss. The score does not increase to High because exploitation requires local authenticated access and causes only service disruption, not data breach or privilege escalation. On x86-64 systems where unaligned accesses are tolerated, the practical risk may be lower; on strict-alignment architectures, the risk is more pronounced.

Frequently asked questions

Can this be exploited remotely?

No. Exploitation requires local access and the ability to load or reload AppArmor policies, typically via privileged tools or capabilities. Remote attackers cannot trigger this vulnerability.

Does this lead to privilege escalation?

No. The vulnerability causes a denial-of-service crash; it does not bypass AppArmor protections, elevate privileges, or provide a path to further compromise. The system simply panics.

Are x86-64 systems affected?

Technically, x86-64 hardware permits unaligned memory accesses in most cases, so the vulnerability may not manifest as a kernel panic. However, the underlying code defect is present, and the patch should still be applied for robustness and to future-proof against architectural changes.

What should I do if I cannot patch immediately?

Restrict policy management access to trusted administrators only, disable AppArmor if not required, and monitor kernel logs for unaligned access warnings. Avoid loading policies from untrusted sources.

This analysis is based on available vulnerability data as of the publication date. Vendors and the upstream Linux kernel project may release additional information or patches after this report. Always verify patch availability and version numbers directly from your distribution's security advisory before applying updates. This document is for informational purposes and does not constitute professional security advice. Consult your organization's security team and risk management processes when prioritizing remediation. No exploit code or attack demonstrations are provided; this vulnerability should not be used for unauthorized access or system disruption. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).