“CrackArmor”: Nine AppArmor Flaws Expose Over 12 Million Linux Systems to Root Escalation
“CrackArmor”: Nine AppArmor Flaws Expose Over 12 Million Linux Systems to Root Escalation
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
“CrackArmor”: Nine AppArmor Flaws Expose Over 12 Million Linux Systems to Root Escalation
Qualys researchers have uncovered a cluster of nine vulnerabilities lurking in Linux’s AppArmor security module since 2017 — enabling any local user to gain full root access, dismantle container isolation, and crash systems entirely. Patches are available; apply them now.
What Is CrackArmor?
The Qualys Threat Research Unit (TRU) has disclosed a set of nine security vulnerabilities in AppArmor, the Linux Security Module (LSM) that serves as the default mandatory access control mechanism on Ubuntu, Debian, SUSE, and their derivatives. Qualys has collectively named these flaws “CrackArmor.”
At the heart of the advisory is a class of software bug known as a confused deputy problem — a situation in which a highly privileged process is manipulated into performing unauthorized operations on behalf of an unprivileged user. Qualys likened it to “an intruder convincing a building manager with master keys to open restricted vaults that the intruder cannot enter alone.”
“CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials. For CISOs, this means patching alone isn’t enough — we must re-examine our entire assumption of what ‘default’ configurations mean for our infrastructure.”
— Dilip Bachwani, CTO, Qualys
All nine vulnerabilities require unprivileged local user access — meaning an attacker must already have a standard account on the target system. Remote exploitation alone is not possible. However, because many enterprise environments, Kubernetes clusters, shared cloud VMs, and container platforms host numerous local users or run untrusted workloads, the practical risk is substantial.
CVE Assignments & Scope
As of March 19, 2026, the Linux Kernel CVE Numbering Authority has assigned two CVE identifiers to the nine vulnerabilities. The remaining seven are pending assignment — a deliberate process, as upstream kernel CVEs are typically issued only after fixes land in a stable release.
| CVE ID | Description | Severity |
|---|---|---|
CVE-2026-23268 |
Confused deputy flaw — unprivileged user can open privileged AppArmor control files via securityfs and manipulate security profiles (load, replace, or remove) by routing commands through trusted setuid tools such as su. |
Critical |
CVE-2026-23269 |
Out-of-bounds read — a crafted AppArmor profile can leak up to 64 KiB of kernel memory, potentially exposing KASLR-randomized kernel addresses and undermining address space layout randomization. | High |
| 7 additional flaws | Include kernel stack exhaustion (denial of service / forced reboot), out-of-bounds reads and writes that could theoretically achieve arbitrary kernel code execution, a race condition enabling /etc/passwd page-cache overwrite for root privilege escalation, and further memory-management bugs. |
CVE Pending |
Technical Breakdown
The Confused Deputy Core (CVE-2026-23268)
AppArmor exposes privileged control files under securityfs (typically mounted at /sys/kernel/security/). These files are protected by permissions that are checked only at write time, not at open time. An unprivileged user can open a file descriptor to one of these files; then, by convincing a setuid-root application — such as su — to write the correct data to that descriptor, they can load, replace, or remove AppArmor profiles entirely. This effectively allows stripping protections from any system service, locking all users out of SSH, or bypassing Ubuntu’s unprivileged user-namespace restrictions.
Kernel Memory Leak (CVE-2026-23269)
A specially crafted AppArmor profile can trigger an out-of-bounds read past the kernel buffer used to store filenames for policy evaluation, leaking up to 64 KiB of kernel memory. This content can include KASLR-randomized kernel addresses, which could be used to defeat address space layout randomization in follow-on attacks.
Race Condition & Root Escalation
A race condition in the AppArmor kernel code can result in a write to already-freed and potentially reallocated memory. Qualys demonstrated exploiting this race to overwrite the page cache of /etc/passwd, producing a fake in-memory version that marks the root account as having no password — granting full root privilege escalation without touching disk.
Container Escape Vector
In container deployments executing potentially malicious or attacker-controlled images, the AppArmor vulnerabilities can be exploited without requiring a cooperating privileged application — making the container-escape vector particularly dangerous for Kubernetes and multi-tenant environments.
The sudo Side Channel
Qualys also identified a separate vulnerability in sudo — exploitable via the email notifications feature — that can be chained with the AppArmor flaws and the su utility to achieve local privilege escalation. The Rust rewrite of sudo, sudo-rs (default in Ubuntu 25.10 and later), is not affected because it does not implement email notification. Ubuntu security updates for both su (via util-linux) and sudo are available.
Affected Distributions
Any Linux kernel since version 4.11 (released April 2017) is vulnerable on distributions where AppArmor is enabled. Red Hat Enterprise Linux, CentOS, Rocky Linux, AlmaLinux, Amazon Linux, and Fedora use SELinux rather than AppArmor and are not affected. macOS uses its own proprietary access-control technology and is also unaffected.
Coordinated Disclosure Timeline
What To Do Right Now
Canonical and Qualys both recommend a two-track response: apply kernel patches and userspace mitigations. Userspace mitigations alone do not fully close the attack surface.
Ubuntu / Debian
SUSE / openSUSE
Detection & Monitoring
Security teams should monitor for suspicious patterns that may indicate active exploitation attempts:
- Unexpected invocations of
su -P,su --pty, orsucombined with output redirection into AppArmor policy interfaces - Unexpected sudo failures:
setresuid(): Operation not permitted,unable to open /etc/sudoers - Modifications to AppArmor profile directories under
/etc/apparmor.d/ - Access to
/sys/kernel/security/from non-privileged processes
Context: A Pattern of Critical Linux Privilege Escalation
CrackArmor is not an isolated incident. Qualys has a documented track record of uncovering serious privilege escalation vulnerabilities in default Linux components. In 2022, the firm disclosed two flaws in Snap, Ubuntu’s universal application packaging system, that similarly allowed a low-privileged user to execute arbitrary code as root. That same year, AppArmor was among the hardening measures recommended to limit exposure to the Dirty Pipe kernel flaw — an irony not lost on the security community now that AppArmor itself is the subject of a critical advisory.
The eight-month disclosure timeline for CrackArmor, while longer than typical, reflects the complexity of coordinating patches across multiple upstream maintainers, distributions, and related components like sudo. Qualys noted that the process “extended significantly beyond typical timelines due to multiple rounds of patch review and communication delays with upstream maintainers.”
“Immediate kernel patching remains the non-negotiable priority for neutralizing these critical vulnerabilities, as interim mitigation does not offer the same level of security assurance as restoring the vendor-fixed code path.”
— Qualys TRU Advisory, March 2026
With over 12.6 million enterprise Linux instances running AppArmor by default — a figure that grows further when Kubernetes clusters, IoT deployments, and edge environments are counted — the urgency of patching cannot be overstated. Qualys has developed working proof-of-concept exploits, which it is withholding from public release to protect unpatched systems. The security community should assume independent researchers may reproduce the exploits at any time.
Further Reading
