CVE-2026-47326: Ubuntu Linux AppArmor Memory Leak Denial of Service
Ubuntu Linux versions 6.8, 6.17, and 7.0 contain a memory leak flaw in how the kernel handles large responses from AppArmor (the mandatory access control framework). An unprivileged local user can trigger this leak repeatedly, causing the system to exhaust available memory and potentially become unstable or unresponsive. The vulnerability requires local access and does not compromise data confidentiality or integrity, but can degrade or deny service to legitimate users.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-401
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47326 is a memory leak vulnerability (CWE-401) in the Linux kernel's AppArmor notification handling subsystem. When processing large responses to AppArmor policy queries, affected kernel versions fail to properly deallocate memory in specific code paths within SAUCE patches applied to versions 6.8, 6.17, and 7.0. An unprivileged local process can repeatedly invoke the vulnerable code path, accumulating unreleased heap or kernel memory until resource limits are reached. The bug is triggered through AppArmor notification interfaces accessible to unprivileged users.
Business impact
A successful exploitation leads to denial-of-service conditions on affected systems. Continuous memory exhaustion can cause application crashes, system slowdowns, or forced reboots, disrupting production workloads and availability. For organizations running Ubuntu on critical infrastructure, hypervisors, or multi-tenant environments, a local user could degrade performance for all tenants or halt essential services. Recovery typically requires manual intervention (process termination or system restart), creating operational overhead and potential data loss risk if uncontrolled shutdowns occur.
Affected systems
The vulnerability affects Ubuntu Linux kernel versions 6.8, 6.17, and 7.0. These are relatively recent kernel releases; organizations should verify which Ubuntu versions ship or have been updated to these kernel versions. The affected versions contain SAUCE (Secure and Usable Cryptographic Encapsulation) patches that introduced or propagated the defect. Other Linux distributions and kernel versions are not indicated to be affected based on available evidence.
Exploitability
Exploitability is straightforward for any unprivileged local user with shell access to an affected system. No special privileges, user interaction, or complex race conditions are required. The attack surface is the AppArmor notification mechanism, which is available by design to unprivileged processes. This makes the vulnerability practical to exploit in shared hosting, multi-user systems, and containerized environments where local user isolation is relied upon. However, the attack requires local code execution; remote exploitation is not possible.
Remediation
Patch affected Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 to updated releases that include fixes for the AppArmor memory leak. Consult Ubuntu security advisories and the Ubuntu kernel team's official patch guidance for specific fixed versions. As an interim mitigation, restrict local user shell access on critical systems or use containerization and kernel capabilities to limit unprivileged users' access to AppArmor interfaces. Monitor system memory usage for unexplained growth, which may indicate exploitation attempts.
Patch guidance
Monitor Ubuntu security announcements and kernel release notes for patches addressing this memory leak in AppArmor handling. Verify patch availability and applicability for your specific Ubuntu release and kernel version through ubuntu.com/security and the canonical kernel repository. Test patches in a staging environment before production deployment, as kernel updates require system reboots. Prioritize patching for multi-user systems and shared infrastructure where local users are less trusted.
Detection guidance
Monitor for sustained or abnormal kernel memory growth, particularly from kworker or other kernel threads associated with AppArmor processing. Use 'ps aux' and '/proc/meminfo' to track memory trends over time. Enable audit logging for AppArmor policy events (auditctl) and correlate with memory pressure events. Look for repeated invocations of AppArmor notification queries by unprivileged processes. Kernel memory leak detection tools (kmemleak) can help identify the specific call stacks responsible for unreleased memory if enabled and tuned for AppArmor subsystem.
Why prioritize this
While the CVSS score of 5.5 (Medium) reflects the lack of data breach risk, the practical availability impact on multi-user and cloud systems warrants prompt patching. Unprivileged users are commonplace, the exploit is trivial to execute, and the consequence (system-wide DoS) is severe in shared environments. This is not a critical remote code execution flaw, but it is a high-confidence local denial-of-service vector that affects user experience and system stability.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects: Attack Vector Local (AV:L) — requires shell access; Attack Complexity Low (AC:L) — no race conditions or environmental setup needed; Privileges Required Low (PR:L) — unprivileged user suffices; User Interaction None (UI:N) — attack is automatic; Scope Unchanged (S:U) — impact is limited to the affected system; Confidentiality None (C:N), Integrity None (I:N) — no data theft or tampering; Availability High (A:H) — memory exhaustion causes DoS. The Medium severity reflects the local-only attack vector, but organizations should view the high availability impact and ease of exploitation as justification for prompt remediation in high-availability environments.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local code execution (shell access) to the affected system. Remote attackers cannot trigger the AppArmor memory leak over the network. However, in multi-tenant cloud or hosting environments, any untrusted local user can exploit it.
What is SAUCE and why does it matter to this vulnerability?
SAUCE (Secure and Usable Cryptographic Encapsulation) is a patchset applied to Ubuntu kernels. The memory leak was introduced or is present in SAUCE patches in versions 6.8, 6.17, and 7.0. This tells you to check Ubuntu's SAUCE patch release notes and kernel advisories for the specific fixed versions.
Will patching require a reboot?
Yes. Linux kernel patches require a system reboot to take effect. Plan maintenance windows accordingly, especially for production systems. Some organizations use live kernel patching technologies (e.g., kpatch, Livepatch) to avoid reboots, but availability depends on your Ubuntu support tier and kernel version.
Is AppArmor enabled by default on all Ubuntu systems?
AppArmor is the default mandatory access control system on Ubuntu (unlike SELinux on Red Hat systems). Most Ubuntu systems have AppArmor enabled, making them potentially vulnerable if running affected kernel versions. Verify your AppArmor status with 'systemctl status apparmor' or check '/sys/module/apparmor'.
This analysis is provided for informational purposes and reflects publicly available information as of the published date. Specific patch versions, timelines, and availability are subject to Ubuntu/Canonical's official advisories and release schedules. Organizations should verify all remediation steps against vendor documentation before deployment. SEC.co does not warrant the completeness or timeliness of this analysis. Always consult official vendor sources (ubuntu.com/security, CVE databases, kernel.org) for authoritative technical details and patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45682MEDIUMOpenTelemetry eBPF Instrumentation Memory Leak in Java TLS State Tracking
- CVE-2026-46109MEDIUMLinux Kernel USB ULPI Memory Leak – CVSS 5.5 Medium
- CVE-2026-46141MEDIUMPowerPC XIVE Memory Leak in MSI-X Interrupt Allocation
- CVE-2026-46143MEDIUMLinux QCOM Audio Driver Memory Leak – Availability Risk
- CVE-2026-46147MEDIUMLinux ARM64 KVM vCPU Initialization Pin Leak and Race Condition
- CVE-2026-46151MEDIUMLinux Kernel USB Printer Driver Heap Memory Leak
- CVE-2026-46171MEDIUMLinux RISC-V KVM Vector Context Memory Leak
- CVE-2026-46182MEDIUMLinux Kernel PAPR Hypervisor Pipe Information Disclosure Vulnerability