Nine critical vulnerabilities have been found in AppArmor, a Linux Security Module standard on Ubuntu, Debian, and SUSE. Together, they are referred to as CrackArmor. The vulnerabilities allow unauthorized users to bypass kernel protections, obtain root privileges, and break container isolation.
This was discovered by researchers at Qualys. Together, they form the so-called CrackArmor advisory. The flaws have existed since 2017 (kernel version v4.11) and affect more than 12.6 million enterprise Linux instances worldwide. AppArmor is the standard Mandatory Access Control mechanism for Ubuntu, Debian, and SUSE. It is widely used in cloud environments, Kubernetes, IoT, and edge infrastructure.
How the attack works
The vulnerabilities exploit a confused deputy attack. An unauthorized user can manipulate a privileged process to perform actions on their behalf, without having the necessary rights themselves. Specifically, attackers abuse tools such as Sudo or Postfix to modify AppArmor profiles via pseudo-files such as /sys/kernel/security/apparmor/.load and .replace.
This bypasses user-namespace restrictions and allows arbitrary code to run in the kernel. Consequences include local privilege escalation (LPE) to root, denial-of-service via stack exhaustion, and KASLR bypasses via out-of-bounds reads. Container isolation is also no longer guaranteed as a result.
Qualys TRU has developed Proof of Concept exploits that demonstrate the entire attack chain. These are not being released publicly, but have been shared with the relevant security teams to speed up patching. “CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials. For CISOs, this means patching alone isn’t enough; we must re-examine our entire assumption of what ‘default’ configurations mean for our infrastructure,” said Dilip Bachwani, CTO of Qualys.
All Linux kernels from v4.11 onwards are vulnerable on distributions that integrate AppArmor. Debian released a security update on March 12, 2026 that addresses the vulnerabilities. Ubuntu and SUSE are working on similar patches.
Qualys recommends applying vendor kernel patches immediately and setting up monitoring on /sys/kernel/security/apparmor/ for unauthorized profile changes.
Tip: Linux kernel to move to version 7.0 after release of 6.19