CVE-2026-23406

The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past the input buffer boundary.

[ 94.984676] ================================================================== [ 94.985301] BUG: KASAN: slab-out-of-bounds in aadfamatch+0x5ae/0x760 [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976

[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 94.986329] Call Trace: [ 94.986341] <TASK> [ 94.986347] dumpstacklvl+0x5e/0x80 [ 94.986374] printreport+0xc8/0x270 [ 94.986384] ? aadfamatch+0x5ae/0x760 [ 94.986388] kasanreport+0x118/0x150 [ 94.986401] ? aadfamatch+0x5ae/0x760 [ 94.986405] aadfamatch+0x5ae/0x760 [ 94.986408] __aapathperm+0x131/0x400 [ 94.986418] aa_pathperm+0x219/0x2f0 [ 94.986424] apparmorfileopen+0x345/0x570 [ 94.986431] securityfileopen+0x5c/0x140 [ 94.986442] dodentryopen+0x2f6/0x1120 [ 94.986450] vfsopen+0x38/0x2b0 [ 94.986453] ? mayopen+0x1e2/0x2b0 [ 94.986466] pathopenat+0x231b/0x2b30 [ 94.986469] ? __x64sysopenat+0xf8/0x130 [ 94.986477] dofileopen+0x19d/0x360 [ 94.986487] dosysopenat2+0x98/0x100 [ 94.986491] __x64sysopenat+0xf8/0x130 [ 94.986499] dosyscall64+0x8e/0x660 [ 94.986515] ? countmemcgevents+0x15f/0x3c0 [ 94.986526] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986540] ? handlemmfault+0x1639/0x1ef0 [ 94.986551] ? vmastartread+0xf0/0x320 [ 94.986558] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986561] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986563] ? fpregsassertstateconsistent+0x50/0xe0 [ 94.986572] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986574] ? archexittousermodeprepare+0x9/0xb0 [ 94.986587] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986588] ? irqentryexit+0x3c/0x590 [ 94.986595] entrySYSCALL64afterhwframe+0x76/0x7e [ 94.986597] RIP: 0033:0x7fda4a79c3ea

Fix by extracting the character value before invoking match_char, ensuring single evaluation per outer loop.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23406.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

074c1cd798cb0b481d7eaa749b64aa416563c053

Fixed

5a184f7cbdeaad17e16dedf3c17d0cd622edfed8

Fixed

b73c1dff8a9d7eeaebabf8097a5b2de192f40913

Fixed

0510d1ba0976f97f521feb2b75b0572ea5df3ceb

Fixed

383b7270faf42564f133134c2fc3c24bbae52615

Fixed

8756b68edae37ff546c02091989a4ceab3f20abd

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23406.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.17.0

Fixed

6.6.130

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.77

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.18

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23406.json"