MEDIUM 5.5

CVE-2026-47335: Ubuntu Linux 6.8 AppArmor NULL Pointer Dereference Denial of Service

Ubuntu Linux kernel version 6.8 contains a defect in how it handles AppArmor security notifications. An unprivileged local user can trigger a NULL pointer dereference—a programming error where the kernel tries to access memory that doesn't exist—causing the entire system to crash. This is a local denial-of-service vulnerability; it does not allow data theft or privilege escalation, but it can disrupt service availability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47335 involves a NULL pointer dereference (CWE-476) in the AppArmor notification handling code within Ubuntu Linux 6.8's SAUCE patch set. The vulnerability is triggered when the kernel receives a malformed or missing pointer during AppArmor event processing, resulting in a kernel panic. The attack vector is local; an unprivileged user with shell access can invoke the vulnerable code path without requiring additional privileges or user interaction. The defect was introduced as part of the SAUCE (Ubuntu's hardware enablement and patch aggregation layer) updates for kernel 6.8.

Business impact

Organizations running Ubuntu Linux 6.8 face availability risk. An attacker with local user access—such as a compromised application account, insider, or lateral movement from another vulnerability—can crash the system on demand, preventing legitimate workloads from running. In multi-tenant or containerized environments, this could disrupt service to multiple customers or applications. However, since exploitation requires local access and does not grant privilege escalation or data compromise, the threat is primarily one of disruption rather than data breach.

Affected systems

Ubuntu Linux kernel 6.8 is affected. This kernel is typically deployed on Ubuntu 24.04 LTS and related Ubuntu releases during the 6.8 kernel cycle. Systems running earlier kernel versions (6.7 or older) or later versions (6.9 and beyond, if updated) are not affected by this specific vulnerability. Verify your kernel version with `uname -r` to confirm exposure.

Exploitability

Exploitability is straightforward for attackers already possessing local user access. No special tools, privileges, or complex tricks are required; the NULL pointer dereference is triggered by normal AppArmor notification handling, meaning even routine security operations could hit the vulnerability. However, exploitation requires local shell access, which limits the attack surface to insider threats, compromised application accounts, or systems already breached via other means. The vulnerability is not remotely exploitable.

Remediation

Apply a kernel update that patches the AppArmor NULL pointer dereference. Ubuntu typically releases fixes through linux-image package updates. Users should verify the specific patched kernel version in the Ubuntu security advisories and install the updated package via apt. Following patching, reboot the system to load the corrected kernel. Until patching is possible, restrict local user access and monitor for unexpected kernel panic events.

Patch guidance

Check the Ubuntu Security Notices (USN) for Linux 6.8 advisories published on or after 2026-06-17 (the latest modification date for this CVE). The advisory will specify the patched kernel version. Typical Ubuntu practice involves releasing a new linux-image package; install it with `sudo apt update && sudo apt install linux-image-generic` (or the equivalent for your Ubuntu flavor), then reboot. Verify the new kernel is active with `uname -r` and confirm it matches the patched version listed in the advisory.

Detection guidance

Monitor system logs for kernel panic messages and console output referencing AppArmor or NULL pointer dereferences. On systems with kdump or similar crash capture enabled, retrieve and analyze crash dumps for NULL pointer dereference signatures in apparmor-related kernel functions. Intrusion detection systems can flag multiple rapid kernel reboots from the same source as a potential indicator of local denial-of-service attempts. However, kernel panics can have many causes; correlate with access logs to identify whether a specific local user account precedes each crash.

Why prioritize this

This vulnerability merits prompt but not emergency patching. The CVSS score of 5.5 (Medium severity) reflects the local-only attack vector and lack of confidentiality or integrity impact. However, availability disruption can significantly harm business operations. Organizations should prioritize patching systems in production environments where local user access is common (shared hosting, multi-tenant systems, development clusters) over isolated systems with minimal local user population. Coordinate patching with maintenance windows to avoid unscheduled downtime.

Risk score, explained

CVSS 3.1 score of 5.5 is driven by: (1) Local attack vector (AV:L)—requiring prior system access; (2) Low attack complexity (AC:L)—straightforward to trigger; (3) Low privileges required (PR:L)—unprivileged user suffices; (4) No user interaction (UI:N); (5) No confidentiality or integrity impact (C:N, I:N); but (6) High availability impact (A:H)—kernel panic causes complete service disruption. The score reflects a real but bounded threat: it hurts availability but not data security.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-47335 requires local user access to the system. It cannot be exploited over the network. An attacker must already have shell access or be able to run code as a local user account.

Does patching require downtime?

Yes, patching requires a kernel reboot. Plan the update during a maintenance window. Most organizations schedule kernel updates in off-peak hours to minimize disruption.

Are older Ubuntu releases affected?

Only Ubuntu systems running kernel 6.8 are affected. Releases on kernel 6.7, 6.9, or other versions are not vulnerable to this specific CVE. Check your kernel version with `uname -r`.

What happens if this vulnerability is exploited?

The system will experience a kernel panic and reboot. Services will become unavailable until the system restarts. There is no data loss or privilege escalation; the impact is strictly denial-of-service through availability disruption.

This analysis is based on publicly available vulnerability data and Ubuntu vendor advisories as of the publication and modification dates noted. Security teams should verify patch availability and compatibility in their specific Ubuntu environment before deploying updates. Kernel updates may interact with custom kernel modules or hardware-specific configurations; test in a non-production environment first. No exploit code or proof-of-concept is provided. For official guidance, consult the Ubuntu Security Team notices and your internal change management procedures. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).