CVE-2026-23408:
CBL Mariner vulnerability analysis and mitigation

In the Linux kernel, the following vulnerability has been resolved:

apparmor: Fix double free of ns_name in aa_replace_profiles()

if ns_name is NULL after 1071 error = aa_unpack(udata, &lh, &ns_name);

and if ent->ns_name contains an ns_name in 1089 } else if (ent->ns_name) {

then ns_name is assigned the ent->ns_name 1095 ns_name = ent->ns_name;

however ent->ns_name is freed at 1262 aa_load_ent_free(ent);

and then again when freeing ns_name at 1270 kfree(ns_name);

Fix this by NULLing out ent->ns_name after it is transferred to ns_name

Source: NVD

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Score

Published April 1, 2026

Severity HIGH

CNA Score 7.8

Affected Technologies

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 2.3

Exploitation Probability (EPSS) N/A

Affected packages and libraries

Sources

NVD
CBL-Mariner
- CBL-Mariner 3.0 Severity HIGHHas FixAdded at: Apr 12, 2026
Debian Security Tracker
- Debian 11, 12, 13, 14 Severity HIGHHas FixAdded at: Apr 02, 2026
Echo
- Echo Severity HIGHHas FixAdded at: Apr 02, 2026
Ubuntu Security Tracker
- Ubuntu 20.04, 22.04, 24.04, 25.10 Severity MEDIUMHas FixAdded at: Apr 02, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-23411	HIGH	7.8	CBL Mariner	linux-lowlatency-hwe-5.15	No	Yes	Apr 01, 2026
CVE-2026-23410	HIGH	7.8	CBL Mariner	linux-azure-fde-6.14	No	Yes	Apr 01, 2026
CVE-2026-23408	HIGH	7.8	CBL Mariner	linux-hwe-6.8	No	Yes	Apr 01, 2026
CVE-2026-23409	MEDIUM	6.5	CBL Mariner	linux-aws-6.17	No	Yes	Apr 01, 2026
CVE-2026-31394	MEDIUM	5.5	Linux Kernel	kernel-modules-extra	No	Yes	Apr 03, 2026