HarborGuard / CVE
Back to search
HIGHCVE-2026-47333Published Modified CNA canonical

CVE-2026-47333: Out-of-bounds read in Ubuntu Linux AppArmor notification handling

Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds heap memory read vulnerability exists in the AppArmor notification handling code in Ubuntu Linux versions 6.8, 6.17, and 7.0. The flaw is triggered locally by any unprivileged user account, requiring no network access, and causes invalid data to be fed into the AppArmor DFA policy engine. Successful exploitation gives an attacker read access to sensitive memory contents, the ability to tamper with data, and the ability to crash or destabilize the affected system. A patched-image rebuild at the fixed versions (6.8.0-124.124, 6.17.0-35.35, or 7.0.0-22.22) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-47333 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from Canonical and upstream advisory feeds, including custom-built images derived from the affected Ubuntu base versions. HarborGuard is capable of identifying affected package versions in both public and internally maintained images across all connected registries and CI pipelines.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and is capable of weighting that score against each customer environment's compliance policy to determine urgency and escalation thresholds. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at the fixed Ubuntu kernel package versions (6.8.0-124.124, 6.17.0-35.35, and 7.0.0-22.22) is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access is required to trigger the vulnerability.

  • AuthenticationRequired

    Any low-privilege local user account is sufficient to trigger the notification handling code path; no elevated or administrative privileges are needed.

  • Victim interactionNot required

    No action from another user or administrator is required; the attacker can trigger the bug independently.

  • Attack complexityDetail

    The exploit is reliable and condition-free, with no race conditions or special environmental factors required to trigger the out-of-bounds read.

Blast Radius

  • Reads arbitrary heap memory contents, which may include sensitive kernel data structures, credentials, or cryptographic material held in memory.
  • Modifies or corrupts data processed by the AppArmor DFA policy engine, potentially undermining mandatory access control decisions for other processes.
  • Crashes or destabilizes the affected system by causing the kernel to process invalid memory contents during AppArmor notification handling.
  • Combines confidentiality loss and integrity impact to give a local attacker a strong foothold for further privilege escalation on the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47333 is active across all connected registries and pipelines, matching images built on affected Ubuntu 6.8, 6.17, or 7.0 base layers against the known vulnerable package ranges. For environments running an affected version, a patched-image rebuild at 6.8.0-124.124, 6.17.0-35.35, or 7.0.0-22.22 is available. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in those environments. Customers who manage remediation manually will see the affected images flagged with full CVSS detail and fix-version guidance in their HarborGuard dashboard.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
6.8.0-124.124
Affected Products
1

Fix available

6.8.0-124.1246.17.0-35.357.0.0-22.22
Patch commits
Affected packages
  • Canonical / Ubuntu Linux
    < 6.8.0-124.124 (from 6.8.0) · < 6.17.0-35.35 (from 6.17.0) · < 7.0.0-22.22 (from 7.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2026-47333: Out-of-bounds read in Ubuntu Linux AppArmor notification handling | HarborGuard CVE