Re: Multiple vulnerabilities in AppArmor

[Qualys Security Advisory <qsa () qualys com>]

Hi all,

Some food for thought. After reading Solar Designer's post ("I do feel
there can still be cases where a carefully timed notification to
linux-distros would work well"):

  https://www.openwall.com/lists/oss-security/2026/05/01/2

we decided to reconsider our previous decision ("we will coordinate the
disclosure of kernel vulnerabilities with the Linux kernel security team
only"):

  https://www.openwall.com/lists/oss-security/2026/03/12/6

So, for CVE-2026-46333 (a logic bug in __ptrace_may_access()):

  https://www.openwall.com/lists/oss-security/2026/05/15/2
  https://www.openwall.com/lists/oss-security/2026/05/20/15

we tried the following:

> Timeline
> 2026-05-11: Advisory and proof of concept sent to the security@kernel.
> 2026-05-14: Patch committed publicly (31e62c2) by Linus Torvalds.
> 2026-05-14: Heads-up sent to the private linux-distros@openwall.
> 2026-05-15: Heads-up sent to the public oss-security@openwall.
> 2026-05-20: Advisory published.

This worked reasonably well: by the time we published our full advisory
(including the LPEs to root), most distributions had already updated
their kernel packages.

Thank you very much to everyone involved in this release! With best
regards,

-- 
the Qualys Security Advisory team