“`html
Nine severe vulnerabilities have been identified in AppArmor, which serves as a commonly utilized mandatory access control system for Linux. Collectively termed “CrackArmor,” these vulnerabilities permit unprivileged local users to elevate their privileges to root, breach container isolation, and induce kernel operation failures. This predicament impacts over 12.6 million enterprise Linux systems globally.
The origins of the CrackArmor vulnerabilities date back to Linux kernel version 4.11, launched in 2017, and have gone unnoticed in live environments for nearly nine years.
Unveiled by the Qualys Threat Research Unit (TRU) and publicly revealed on March 12, 2026, the weaknesses are embedded within AppArmor’s execution as a Linux Security Module (LSM), rather than its foundational security architecture.
AppArmor has been integrated into the mainstream Linux kernel since version 2.6.36 and is shipped enabled by default on Ubuntu, Debian, and SUSE, greatly broadening its attack surface throughout enterprise data centers, Kubernetes clusters, IoT setups, and cloud infrastructures.
Data from Qualys CyberSecurity Asset Management highlights the extent of the vulnerability: more than 12.6 million enterprise Linux instances operate AppArmor enabled by default, all potentially susceptible until fixed.
CrackArmor Vulnerabilities
At the heart of CrackArmor lies a confused deputy weakness, a type of flaw where an unprivileged individual deceives a privileged process into executing unauthorized actions on their behalf.
Attackers take advantage of this by writing to AppArmor’s pseudo-files situated at /sys/kernel/security/apparmor/.load, .replace, and .remove, employing trusted system tools like Sudo and Postfix as unwitting intermediaries.
Since these tools function with elevated permissions, they bypass user-namespace limitations that would generally obstruct the attacker’s direct access, thus enabling arbitrary code execution within the kernel itself.
The attack configurations enabled by CrackArmor are diverse and serious:
- Policy Circumvention: Unprivileged users can discreetly eliminate safeguards for critical system daemons such as rsyslogd and cupsd, or load deny-all profiles for sshd to obstruct all SSH access.
- Local Privilege Escalation (LPE) to Root (User-Space): Loading a profile that removes CAP_SETUID from sudo and altering the MAIL_CONFIG environment variable can compel sudo to execute Postfix’s sendmail binary as root, resulting in full root shell access.
- Kernel-Space LPE: By exploiting a use-after-free vulnerability in the
aa_loaddatafunction, attackers may reallocate released kernel memory as a page table that maps/etc/passwd, directly overwriting the root password entry and achieving root access viasu. - Container and Namespace Breach: Loading a “userns” profile aimed at
/usr/bin/time, unprivileged users can establish fully-capable user namespaces, undermining previously deployed namespace restriction measures in Ubuntu. - Denial of Service via Stack Exhaustion: Profiles with deeply nested subprofiles (up to 1,024 levels) may deplete the kernel’s 16 KB stack during recursive removal, resulting in a kernel panic and mandatory system reboot.
- KASLR Circumvention: Out-of-bounds reads during profile parsing may leak kernel memory addresses, neutralizing Kernel Address Space Layout Randomization and paving the way for further exploitation chains.
As of this writing, no CVE identifiers have been granted to the CrackArmor vulnerabilities. Since the issues reside in the upstream Linux kernel, only the upstream kernel team possesses the authority to allocate CVE numbers, a process that typically spans one to two weeks post-fix stabilization in a stable release. Security teams should not permit the lack of a CVE number to delay their remediation efforts.
Qualys TRU has developed functional proof-of-concept exploit code demonstrating the entire attack chain. Although the team has refrained from public release to facilitate patch deployment, the technical mechanisms of the vulnerabilities are adequately documented for independent verification by the wider security community.
Organizations operating AppArmor-enabled Linux systems should take the following measures without delay:
- Immediately apply all available vendor kernel and AppArmor security updates for Ubuntu, Debian, SUSE, and their derivatives.
- Deploy Qualys QID 386714 to scrutinize all Linux endpoints for affected AppArmor versions and prioritize internet-exposed assets.
- Monitor
/sys/kernel/security/apparmor/for any unexpected profile modifications, which may indicate active exploitation. - Utilize Qualys CyberSecurity Asset Management queries to catalog all Ubuntu, Debian, and SUSE assets with AppArmor installed across on-premises and cloud environments.
Qualys has validated that its products and platforms are not impacted by the CrackArmor vulnerabilities.
“`