{"api_version":"1","generated_at":"2026-04-19T01:14:04+00:00","cve":"CVE-2026-23411","urls":{"html":"https://cve.report/CVE-2026-23411","api":"https://cve.report/api/cve/CVE-2026-23411.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23411","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23411"},"summary":{"title":"apparmor: fix race between freeing data and fs accessing it","description":"In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race between freeing data and fs accessing it\n\nAppArmor was putting the reference to i_private data on its end after\nremoving the original entry from the file system. However the inode\ncan aand does live beyond that point and it is possible that some of\nthe fs call back functions will be invoked after the reference has\nbeen put, which results in a race between freeing the data and\naccessing it through the fs.\n\nWhile the rawdata/loaddata is the most likely candidate to fail the\nrace, as it has the fewest references. If properly crafted it might be\npossible to trigger a race for the other types stored in i_private.\n\nFix this by moving the put of i_private referenced data to the correct\nplace which is during inode eviction.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-01 09:16:17","updated_at":"2026-04-18 09:16:25"},"problem_types":[],"metrics":[{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/8e135b8aee5a06c52a4347a5a6d51223c6f36ba3","name":"https://git.kernel.org/stable/c/8e135b8aee5a06c52a4347a5a6d51223c6f36ba3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/13bc2772414d68e94e273dea013181a986948ddf","name":"https://git.kernel.org/stable/c/13bc2772414d68e94e273dea013181a986948ddf","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a92c5e5086a87d082696245a8607666da3d80554","name":"https://git.kernel.org/stable/c/a92c5e5086a87d082696245a8607666da3d80554","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ae10787d955fb255d381e0d5589451dd72c614b1","name":"https://git.kernel.org/stable/c/ae10787d955fb255d381e0d5589451dd72c614b1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/eecce026399917f6efa532c56bc7a3e9dd6ee68b","name":"https://git.kernel.org/stable/c/eecce026399917f6efa532c56bc7a3e9dd6ee68b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3ddb961d2929bbb3204a2bba21b5d8153cd3f7cc","name":"https://git.kernel.org/stable/c/3ddb961d2929bbb3204a2bba21b5d8153cd3f7cc","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/667df93769c02ff581c77d2d8f162147e719c557","name":"https://git.kernel.org/stable/c/667df93769c02ff581c77d2d8f162147e719c557","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2a732ed26fbd048e7925d227af8cf9ea43fb5cc9","name":"https://git.kernel.org/stable/c/2a732ed26fbd048e7925d227af8cf9ea43fb5cc9","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23411","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23411","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c961ee5f21b202dea60b63eeef945730d92e46a6 a92c5e5086a87d082696245a8607666da3d80554 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c961ee5f21b202dea60b63eeef945730d92e46a6 667df93769c02ff581c77d2d8f162147e719c557 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c961ee5f21b202dea60b63eeef945730d92e46a6 3ddb961d2929bbb3204a2bba21b5d8153cd3f7cc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c961ee5f21b202dea60b63eeef945730d92e46a6 ae10787d955fb255d381e0d5589451dd72c614b1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c961ee5f21b202dea60b63eeef945730d92e46a6 eecce026399917f6efa532c56bc7a3e9dd6ee68b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c961ee5f21b202dea60b63eeef945730d92e46a6 13bc2772414d68e94e273dea013181a986948ddf git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c961ee5f21b202dea60b63eeef945730d92e46a6 2a732ed26fbd048e7925d227af8cf9ea43fb5cc9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c961ee5f21b202dea60b63eeef945730d92e46a6 8e135b8aee5a06c52a4347a5a6d51223c6f36ba3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.13","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.13 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.169 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.77 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.18 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.8 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23411","cve":"CVE-2026-23411","epss":"0.000130000","percentile":"0.023010000","score_date":"2026-04-18","updated_at":"2026-04-19 00:10:43"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["security/apparmor/apparmorfs.c","security/apparmor/include/label.h","security/apparmor/include/lib.h","security/apparmor/include/policy.h","security/apparmor/include/policy_unpack.h","security/apparmor/label.c","security/apparmor/policy_unpack.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"a92c5e5086a87d082696245a8607666da3d80554","status":"affected","version":"c961ee5f21b202dea60b63eeef945730d92e46a6","versionType":"git"},{"lessThan":"667df93769c02ff581c77d2d8f162147e719c557","status":"affected","version":"c961ee5f21b202dea60b63eeef945730d92e46a6","versionType":"git"},{"lessThan":"3ddb961d2929bbb3204a2bba21b5d8153cd3f7cc","status":"affected","version":"c961ee5f21b202dea60b63eeef945730d92e46a6","versionType":"git"},{"lessThan":"ae10787d955fb255d381e0d5589451dd72c614b1","status":"affected","version":"c961ee5f21b202dea60b63eeef945730d92e46a6","versionType":"git"},{"lessThan":"eecce026399917f6efa532c56bc7a3e9dd6ee68b","status":"affected","version":"c961ee5f21b202dea60b63eeef945730d92e46a6","versionType":"git"},{"lessThan":"13bc2772414d68e94e273dea013181a986948ddf","status":"affected","version":"c961ee5f21b202dea60b63eeef945730d92e46a6","versionType":"git"},{"lessThan":"2a732ed26fbd048e7925d227af8cf9ea43fb5cc9","status":"affected","version":"c961ee5f21b202dea60b63eeef945730d92e46a6","versionType":"git"},{"lessThan":"8e135b8aee5a06c52a4347a5a6d51223c6f36ba3","status":"affected","version":"c961ee5f21b202dea60b63eeef945730d92e46a6","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["security/apparmor/apparmorfs.c","security/apparmor/include/label.h","security/apparmor/include/lib.h","security/apparmor/include/policy.h","security/apparmor/include/policy_unpack.h","security/apparmor/label.c","security/apparmor/policy_unpack.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.13"},{"lessThan":"4.13","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.169","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.77","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.18","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.8","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"4.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"4.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.169","versionStartIncluding":"4.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"4.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.77","versionStartIncluding":"4.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.18","versionStartIncluding":"4.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.8","versionStartIncluding":"4.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"4.13","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race between freeing data and fs accessing it\n\nAppArmor was putting the reference to i_private data on its end after\nremoving the original entry from the file system. However the inode\ncan aand does live beyond that point and it is possible that some of\nthe fs call back functions will be invoked after the reference has\nbeen put, which results in a race between freeing the data and\naccessing it through the fs.\n\nWhile the rawdata/loaddata is the most likely candidate to fail the\nrace, as it has the fewest references. If properly crafted it might be\npossible to trigger a race for the other types stored in i_private.\n\nFix this by moving the put of i_private referenced data to the correct\nplace which is during inode eviction."}],"metrics":[{"cvssV3_1":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-04-18T08:58:47.307Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/a92c5e5086a87d082696245a8607666da3d80554"},{"url":"https://git.kernel.org/stable/c/667df93769c02ff581c77d2d8f162147e719c557"},{"url":"https://git.kernel.org/stable/c/3ddb961d2929bbb3204a2bba21b5d8153cd3f7cc"},{"url":"https://git.kernel.org/stable/c/ae10787d955fb255d381e0d5589451dd72c614b1"},{"url":"https://git.kernel.org/stable/c/eecce026399917f6efa532c56bc7a3e9dd6ee68b"},{"url":"https://git.kernel.org/stable/c/13bc2772414d68e94e273dea013181a986948ddf"},{"url":"https://git.kernel.org/stable/c/2a732ed26fbd048e7925d227af8cf9ea43fb5cc9"},{"url":"https://git.kernel.org/stable/c/8e135b8aee5a06c52a4347a5a6d51223c6f36ba3"}],"title":"apparmor: fix race between freeing data and fs accessing it","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23411","datePublished":"2026-04-01T08:36:39.819Z","dateReserved":"2026-01-13T15:37:46.013Z","dateUpdated":"2026-04-18T08:58:47.307Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-01 09:16:17","lastModifiedDate":"2026-04-18 09:16:25","problem_types":[],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23411","Ordinal":"1","Title":"apparmor: fix race between freeing data and fs accessing it","CVE":"CVE-2026-23411","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23411","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race between freeing data and fs accessing it\n\nAppArmor was putting the reference to i_private data on its end after\nremoving the original entry from the file system. However the inode\ncan aand does live beyond that point and it is possible that some of\nthe fs call back functions will be invoked after the reference has\nbeen put, which results in a race between freeing the data and\naccessing it through the fs.\n\nWhile the rawdata/loaddata is the most likely candidate to fail the\nrace, as it has the fewest references. If properly crafted it might be\npossible to trigger a race for the other types stored in i_private.\n\nFix this by moving the put of i_private referenced data to the correct\nplace which is during inode eviction.","Type":"Description","Title":"apparmor: fix race between freeing data and fs accessing it"}]}}}