CVE-2026-23407

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix missing bounds check on DEFAULT table in verify_dfa()

The verifydfa() function only checks DEFAULTTABLE bounds when the state is not differentially encoded.

When the verification loop traverses the differential encoding chain, it reads k = DEFAULTTABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULTTABLE[j] >= state_count, therefore, causes both out-of-bounds reads and writes.

[ 57.179855] ================================================================== [ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660 [ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993

[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 57.181563] Call Trace: [ 57.181572] <TASK> [ 57.181577] dumpstacklvl+0x5e/0x80 [ 57.181596] printreport+0xc8/0x270 [ 57.181605] ? verifydfa+0x59a/0x660 [ 57.181608] kasanreport+0x118/0x150 [ 57.181620] ? verifydfa+0x59a/0x660 [ 57.181623] verifydfa+0x59a/0x660 [ 57.181627] aadfa_unpack+0x1610/0x1740 [ 57.181629] ? __kmalloccachenoprof+0x1d0/0x470 [ 57.181640] unpackpdb+0x86d/0x46b0 [ 57.181647] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181653] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181656] ? aaunpacknameX+0x1a8/0x300 [ 57.181659] aaunpack+0x20b0/0x4c30 [ 57.181662] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181664] ? stackdepotsaveflags+0x33/0x700 [ 57.181681] ? kasansavetrack+0x4f/0x80 [ 57.181683] ? kasansavetrack+0x3e/0x80 [ 57.181686] ? __kasan_kmalloc+0x93/0xb0 [ 57.181688] ? __kvmallocnodenoprof+0x44a/0x780 [ 57.181693] ? aasimplewritetobuffer+0x54/0x130 [ 57.181697] ? policyupdate+0x154/0x330 [ 57.181704] aareplaceprofiles+0x15a/0x1dd0 [ 57.181707] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181710] ? __kvmallocnodenoprof+0x44a/0x780 [ 57.181712] ? aaloaddataalloc+0x77/0x140 [ 57.181715] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181717] ? copyfromuser+0x2a/0x70 [ 57.181730] policyupdate+0x17a/0x330 [ 57.181733] profilereplace+0x153/0x1a0 [ 57.181735] ? rwverifyarea+0x93/0x2d0 [ 57.181740] vfswrite+0x235/0xab0 [ 57.181745] ksyswrite+0xb0/0x170 [ 57.181748] dosyscall64+0x8e/0x660 [ 57.181762] entrySYSCALL64afterhwframe+0x76/0x7e [ 57.181765] RIP: 0033:0x7f6192792eb2

Remove the MATCHFLAGDIFFENCODE condition to validate all DEFAULTTABLE entries unconditionally.