This is a security advisory and vulnerability disclosure from the Phrack organization, detailing four vulnerabilities in the AppArmor security system, which is used in various Linux distributions, including Ubuntu, Debian, and SUSE.

**Summary**

The advisory describes four vulnerabilities in AppArmor, which can be exploited to achieve arbitrary code execution, read and write access to sensitive data, and take control of the system. The vulnerabilities are:

1. **CVE-2025-38001**: A buffer overflow in the `add_key` syscall, which can be exploited to write arbitrary data to kernel memory. 2. **CVE-2025-38002**: A use-after-free vulnerability in the `keyctl` system call, which can be exploited to read arbitrary data from kernel memory. 3. **CVE-2025-38003**: A buffer overflow in the `setsockopt` system call, which can be exploited to write arbitrary data to kernel memory. 4. **CVE-2025-38004**: A vulnerability in the `sudocard` system call, which can be exploited to read and write arbitrary data from kernel memory.

**Exploitation**

The advisory provides detailed information on how to exploit each vulnerability, including the steps to take, the tools needed, and the potential damage that can be caused.

For example, for CVE-2025-38001, the advisory suggests using the `add_key` syscall to write arbitrary data to kernel memory, and then using the `keyctl` system call to read the data from kernel memory. Similarly, for CVE-2025-38002, the advisory suggests using the `keyctl` system call to write arbitrary data to kernel memory, and then using the `add_key` syscall to read the data from kernel memory.

**Patch and Disclosure Timeline**

The advisory provides a detailed timeline of the patch and disclosure process, including the following milestones:

* 2025-07-10: The vulnerabilities were first discovered. * 2025-08-01: The first batch of vulnerabilities was sent to Ubuntu's security team and Canonical's AppArmor developers. * 2025-09-09: The second batch of vulnerabilities was sent to Ubuntu's security team and Canonical's AppArmor developers. * 2025-10-20: A draft of the advisory was sent to Ubuntu's security team and Canonical's AppArmor developers. * 2025-12-15: The advisory was shared with Ubuntu's security team and Canonical's AppArmor developers to express concerns about the state of the vulnerability disclosure. * 2026-01-14: Another email was sent to Ubuntu's security team and Canonical's AppArmor developers to reiterate the concerns. * 2026-02-11: The Coordinated Release Date was set to 2026-03-03. * 2026-02-17: Patches were received from Canonical's AppArmor developers. * 2026-02-17: The first version of the patches was sent to Debian's security team and SUSE's security team. * 2026-02-19: A review of the patches was sent to Ubuntu's security team and Canonical's AppArmor developers. * 2026-02-24: The Linux kernel security team was contacted. * 2026-02-26: Patches were received from Canonical's AppArmor developers. * 2026-02-26: The advisory and patches were sent to the linux-distros mailing list. * 2026-03-03: The patches were published upstream in Linus's tree.

**Acknowledgments**

The advisory acknowledges the contributions of various individuals and organizations, including Ubuntu's security team, Canonical's AppArmor developers, Sudo's maintainer, Debian's security team, SUSE's security team, the Linux kernel security team, and the Phrack organization.