Unprivileged users could exploit AppArmor bugs to gain root access
Unprivileged users could exploit AppArmor bugs to gain root access
March 16, 2026 
Researchers found nine “CrackArmor” flaws in Linux AppArmor that could let unprivileged users bypass protections, gain root privileges, and weaken container isolation.
Qualys researchers disclosed nine vulnerabilities, collectively tracked as CrackArmor, in the Linux kernel’s AppArmor module.
The flaws have existed since 2017 and could allow unprivileged users to bypass protections, escalate privileges to root, run code in the kernel, or cause denial-of-service conditions.
AppArmor is a Linux security module that protects the operating system and applications by enforcing strict behavior rules to block both known and unknown threats, including zero-day attacks. It adds mandatory access control to the traditional Unix discretionary access model and has been part of the Linux kernel since version 2.6.36, with development supported by Canonical since 2009.
Because AppArmor is widely deployed in enterprise systems, cloud platforms, containers, and IoT environments, the issue potentially affects more than 12.6 million Linux systems.
Researchers developed proof-of-concept exploits but did not release them publicly to reduce risk.
No CVE identifiers have been assigned yet, but security teams are strongly advised to patch the Linux kernel immediately, as updates are the only reliable way to mitigate the risk.
The CrackArmor flaws expose a confused-deputy issue that lets unprivileged users manipulate AppArmor security profiles, bypass namespace limits, and run code in the Linux kernel. Attackers could escalate privileges to root through interactions with tools like Sudo and Postfix, trigger denial-of-service attacks, and bypass Kernel Address Space Layout Randomization protections. The findings highlight serious weaknesses in default security assumptions and could impact system confidentiality, integrity, and availability.
“This “CrackArmor” advisory exposes a confused-deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel.” reads the report. “These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads. “
The CrackArmor flaws in AppArmor let unprivileged users trigger denial-of-service by loading “deny-all” profiles or removing nested subprofiles, causing kernel panics and forced reboots. With AppArmor enabled by default on Ubuntu, Debian, and SUSE, cloud, Kubernetes, and edge systems are at risk. These vulnerabilities could be exploited by state-sponsored hackers, making immediate kernel patching and monitoring critical.
The CrackArmor vulnerabilities exploit a design flaw in AppArmor, the Linux Mandatory Access Control framework included in the kernel since 2.6.36 and enabled by default in Ubuntu, Debian, SUSE, and derivatives. Unprivileged users can trick privileged processes like Sudo or Postfix into modifying AppArmor profiles via pseudo-files, bypassing namespace restrictions, executing arbitrary kernel code, collapsing container isolation, and escalating to root. The flaws impact all kernel versions since v4.11. Organizations must patch immediately, scan for exposure using Qualys QIDs, and monitor /sys/kernel/security/apparmor/ for profile changes. These flaws target the zero-trust foundations of enterprise, cloud, Kubernetes, and edge deployments, making rapid remediation critical.
“This is comparable to an intruder convincing a building manager with master keys to open restricted vaults that the intruder cannot enter alone. In this scenario, attackers leverage trusted tools like Sudo or Postfix to modify protected AppArmor profiles via pseudo-files (/sys/kernel/security/apparmor/.load, .replace).” continues the report. “This bypasses user-namespace restrictions and allows for arbitrary code execution within the kernel, collapsing container isolation and enabling local privilege escalation (LPE) to root.”
Organizations should patch immediately, use Qualys QIDs to scan for exposed systems, and monitor /sys/kernel/security/apparmor/ for unauthorized profile changes. Check vendor advisories for affected versions and fixes to secure enterprise, cloud, Kubernetes, and edge deployments.
“Immediate kernel patching remains the non-negotiable priority for neutralizing these critical vulnerabilities, as interim mitigation does not offer the same level of security assurance as restoring the vendor-fixed code path.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Linux)
About Author
