CrackArmor flaws in AppArmor open path to root access on millions of Linux systems
5 min. read 
Published on
Qualys has disclosed a set of nine AppArmor vulnerabilities, collectively named CrackArmor, that can let an unprivileged local user weaken security controls, escalate privileges to root, and in some cases break container isolation. The researchers say the flaws have existed since Linux kernel 4.11 in 2017 and affect systems where AppArmor runs by default, including Ubuntu, Debian, and SUSE-based environments.
The headline-grabbing number comes from Qualys itself. The company says more than 12.6 million enterprise Linux instances run with AppArmor enabled by default, which gives this disclosure unusually broad reach across servers, cloud workloads, Kubernetes environments, IoT, and edge systems.
This is not a remote worm, and that distinction matters. Canonical says all of the vulnerabilities require unprivileged local user access. In other words, an attacker must already have a foothold on the machine or inside a containerized environment before trying to chain these bugs into a full compromise. Even so, that still makes the flaws highly important for shared systems, multi-user servers, and container hosts.
Qualys says the main issue is a confused deputy problem in AppArmor policy management. In its write-up, the company explains that an unprivileged user can manipulate AppArmor pseudo-files through trusted privileged tools, then use that primitive to remove protections, load hostile profiles, crash the system, leak kernel memory, or reach root through follow-on bugs. Openwall’s oss-security thread, which carries the technical disclosure, describes the same chain and lists additional kernel-side weaknesses including out-of-bounds reads, a use-after-free, a double-free, and stack exhaustion.
Canonical’s response adds an important nuance that many summaries miss. On Ubuntu hosts that are not running containers, exploitation usually needs cooperation from a privileged application such as su or a vulnerable sudo path. In container deployments, Canonical says the AppArmor kernel vulnerabilities may be exploitable without a cooperating privileged userspace application, which is why container environments deserve special attention.
What CrackArmor can do
| Impact | What researchers say |
|---|---|
| Local privilege escalation | Qualys says unprivileged users can escalate to full root privileges through chained AppArmor issues. |
| Policy bypass | Attackers can remove or replace AppArmor protections for important services. |
| Container escape risk | Canonical says container deployments could theoretically face escape scenarios. |
| Denial of service | Openwall details kernel stack exhaustion and profile abuse that can crash systems. |
| Kernel memory disclosure | Openwall says out-of-bounds reads can leak kernel memory and KASLR-relevant pointers. |
Sources: Qualys advisory, Canonical blog, Openwall disclosure.
Why this disclosure stands out
The most serious part is not just the bug count. It is the combination of reach, age, and privilege impact. Qualys says the flaws date back to 2017, and Canonical confirms that all supported Ubuntu releases are affected by the core confused deputy vulnerability. Debian has already published security updates for affected kernel packages in stable and oldstable, which shows vendors are treating the issue as urgent even before CVE IDs are assigned.
Another key point is that there are no CVE IDs yet. Both Qualys and Canonical say the CrackArmor issues had not received CVE assignments at publication time. That should not slow down patching. Vendor guidance already exists, and the lack of a CVE does not change the risk for exposed systems.
What Ubuntu and Debian have said
Canonical says it has prepared Linux kernel security updates for supported Ubuntu releases and also shipped userspace mitigations for sudo and util-linux. The company strongly recommends installing both the kernel fixes and the userspace updates, then rebooting after the kernel upgrade. Canonical also notes that sudo-rs in Ubuntu 25.10 and later is not affected by the related sudo issue used in one host-side chain.
Debian security advisories published on March 12, 2026 say several AppArmor vulnerabilities in the Linux kernel have been fixed in updated linux packages for stable and oldstable. The Debian notices point directly to the Qualys advisory and recommend upgrading the kernel packages.
What admins should do now
- Patch the Linux kernel on AppArmor-enabled systems as soon as vendor fixes are available.
- On Ubuntu, apply both kernel updates and the userspace updates for
sudoandutil-linux, then reboot. - Prioritize multi-user systems, container hosts, and internet-facing Linux servers with local access paths for users or workloads. This is an inference based on the local-access requirement and Canonical’s container guidance.
- Watch for unexpected changes involving AppArmor policy handling and investigate local privilege escalation activity. Qualys specifically highlights policy manipulation as part of the attack chain.
FAQ
CrackArmor is Qualys’ name for a group of nine AppArmor vulnerabilities that can let local attackers weaken protections, escalate privileges, and potentially break container isolation.
The published guidance says the bugs require unprivileged local user access. They are not described as remote unauthenticated flaws.
No. Qualys and Canonical both said CVE IDs had not been assigned at publication time.
Qualys names Ubuntu, Debian, and SUSE because AppArmor is widely enabled there by default. Canonical and Debian have already published mitigation or patch guidance.
Install vendor kernel updates. On Ubuntu, also install the related sudo and util-linux updates, then reboot.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages