Re: Multiple vulnerabilities in AppArmor

[Qualys Security Advisory <qsa () qualys com>]

Hi Linux kernel CVE assignment team, all,

We saw that last week you assigned two CVEs to two of the nine AppArmor
vulnerabilities that were fixed and released on March 12, thank you very
much for these:

------------------------------------------------------------------------
https://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23268-6be3@gregkh/T/#u
> - "[PATCH 08/11] apparmor: fix unprivileged local user can do privileged
>   policy management" (the confused-deputy problem detailed in this
>   advisory);
------------------------------------------------------------------------
https://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23269-2bf7@gregkh/T/#u
> - "[PATCH 01/11] apparmor: validate DFA start states are in bounds in
>   unpack_pdb" (an out-of-bounds read);
------------------------------------------------------------------------

Since two weeks have passed now (since the fixes were released), would
it be possible to please assign CVEs to the remaining seven AppArmor
vulnerabilities:

------------------------------------------------------------------------
https://git.kernel.org/stable/c/e38c55d9f834e5b848bfed0f5c586aaf45acb825
> - "[PATCH 02/11] apparmor: fix memory leak in verify_header" (a memory
>   leak);
------------------------------------------------------------------------
https://git.kernel.org/stable/c/ab09264660f9de5d05d1ef4e225aa447c63a8747
https://git.kernel.org/stable/c/306039414932c80f8420695a24d4fe10c84ccfb2
> - "[PATCH 03/11] apparmor: replace recursive profile removal with
>   iterative approach" and "[PATCH 04/11] apparmor: fix: limit the number
>   of levels of policy namespaces" (the uncontrolled recursion detailed
>   in this advisory);
------------------------------------------------------------------------
https://git.kernel.org/stable/c/8756b68edae37ff546c02091989a4ceab3f20abd
> - "[PATCH 05/11] apparmor: fix side-effect bug in match_char() macro
>   usage" (the out-of-bounds read detailed in this advisory);
------------------------------------------------------------------------
https://git.kernel.org/stable/c/d352873bbefa7eb39995239d0b44ccdf8aaa79a4
> - "[PATCH 06/11] apparmor: fix missing bounds check on DEFAULT table in
>   verify_dfa()" (an out-of-bounds read and write);
------------------------------------------------------------------------
https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502
> - "[PATCH 07/11] apparmor: Fix double free of ns_name in
>   aa_replace_profiles()" (the double-free detailed in this advisory);
------------------------------------------------------------------------
https://git.kernel.org/stable/c/39440b137546a3aa383cfdabc605fb73811b6093
> - "[PATCH 09/11] apparmor: fix differential encoding verification" (an
>   infinite loop);
------------------------------------------------------------------------
https://git.kernel.org/stable/c/a0b7091c4de45a7325c8780e6934a894f92ac86b
https://git.kernel.org/stable/c/8e135b8aee5a06c52a4347a5a6d51223c6f36ba3
> - "[PATCH 10/11] apparmor: fix race on rawdata dereference" and "[PATCH
>   11/11] apparmor: fix race between freeing data and fs accessing it"
>   (the use-after-free detailed in this advisory).
------------------------------------------------------------------------

Thank you very much in advance! With best regards,

-- 
the Qualys Security Advisory team