CrackArmor: Nine AppArmor Flaws Expose 12.6 Million Linux Systems to Root Privilege Escalation
Qualys researchers have discovered nine vulnerabilities in the Linux AppArmor security module, collectively named CrackArmor, that allow unprivileged local users to escalate privileges to root and bypass container isolation.
A set of nine newly discovered vulnerabilities in the Linux security module AppArmor, collectively named 'CrackArmor,' could allow unprivileged local attackers to gain root access, bypass container isolation, and crash systems. The flaws were uncovered by the Qualys Threat Research Unit (TRU) and affect the Linux kernel since version 4.11, released in 2017.
AppArmor is enabled by default in widely used Linux distributions including Ubuntu, Debian, and SUSE. Qualys estimates that more than 12.6 million enterprise Linux systems currently run with AppArmor active. These systems are commonly deployed across enterprise infrastructure, cloud platforms, Kubernetes environments, IoT devices, and edge deployments.
The vulnerabilities stem from a 'confused deputy' flaw that allows an unprivileged local user to manipulate AppArmor security profiles. By exploiting pseudo-files within the kernel, attackers can bypass user-namespace restrictions and execute arbitrary code. Attackers do not need administrative credentials—any scenario granting a standard local account could be enough to weaponize the system.
Potential impacts include local privilege escalation (LPE) to root, kernel crashes triggered by stack exhaustion, denial-of-service (DoS) attacks through manipulated security profiles, container isolation bypass, and possible exposure of kernel memory through out-of-bounds reads. An attacker could, for example, load a 'deny-all' profile against services such as SSH, preventing legitimate remote connections. Deeply nested profile removals may also exhaust the kernel stack, potentially triggering a kernel panic and forced reboot.
Qualys researchers said they developed proof-of-concept (POC) exploits demonstrating the vulnerabilities but have not publicly released the exploit code to limit risk to unpatched systems. 'These discoveries highlight critical gaps in how we rely on default security assumptions,' said Dilip Bachwani, Qualys CTO. 'CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials.'
No CVE identifiers have yet been assigned, as vulnerabilities affecting the upstream Linux kernel typically receive CVEs only after fixes are incorporated into stable releases. Qualys nevertheless urged organizations to treat the Ubuntu advisory as urgent. Security teams are advised to apply vendor kernel updates immediately, scan their environments for vulnerable systems, and monitor AppArmor profile directories for suspicious modifications.
The disclosure follows a pattern of increasingly sophisticated attacks on core Linux security mechanisms. Earlier this year, researchers released an exploit for the DirtyDecrypt Linux root escalation flaw (CVE-2026-1234), and the Linux kernel's security mailing list has been overwhelmed by AI-generated vulnerability reports. CrackArmor organizations running AppArmor, the CrackArmor vulnerabilities represent a critical risk that demands immediate patching.