Executive Summary Qualys TRU has discovered confused deputy vulnerabilities in AppArmor (named “CrackArmor”) that allow unprivileged users to bypass kernel protections, escalate to root, and break container isolation. The flaw has existed since 2017, and affected over 12.6 million systems globally. Immediate kernel patching is recommended to neutralize these vulnerabilities.
The Qualys Threat Research Unit (TRU) has discovered nine vulnerabilities within AppArmor, a Linux Security Module (LSM) and the flaw has existed since 2017 (version v4.11). As the default mandatory access control mechanism for Ubuntu, Debian, SUSE, and numerous cloud platforms, its ubiquity across enterprise environments, Kubernetes, IoT, and edge environments amplifies the threat surface significantly.
This “CrackArmor” advisory exposes a confused-deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel. These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads. Consequently, these findings expose critical gaps in our reliance on default security assumptions. It fundamentally undermines system confidentiality, integrity, and availability globally, extending the vulnerability exploitation window for legacy deployments.
Qualys CyberSecurity Asset Management analysis quantifies the scope: over 12.6 million enterprise Linux instances operate with AppArmor enabled by default.
The Qualys Threat Research Unit (TRU) has developed Proof of Concepts (PoCs) demonstrating the full exploitation chain for the CrackArmor vulnerabilities. As part of our coordinated disclosure process, we developed working exploits and proof-of-concept demonstrations, which we shared with the security team to facilitate immediate remediation efforts.
While we withhold public release of exploit code to prioritize patch deployment and minimize risk exposure to unpatched environments, the technical nature of these flaws allows for independent validation by the security community. Consequently, transparency regarding the vulnerability mechanics remains critical to ensuring global infrastructure resilience.
Immediate kernel patching remains the non-negotiable priority for neutralizing these critical vulnerabilities, as interim mitigation does not offer the same level of security assurance as restoring the vendor-fixed code path. IT/Security Operations leadership must expedite emergency maintenance windows to deploy patched kernels without delay, while maintaining business continuity and ensuring the root cause of this critical privilege-escalation vector is eradicated.
These discoveries highlight critical gaps in how we rely on default security assumptions. CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials. For CISOs, this means patching alone isn’t enough; we must re-examine our entire assumption of what ‘default’ configurations mean for our infrastructure. — Dilip Bachwani, Chief Technology Officer, Qualys
A note on CVEs: As of publication, no CVE identifiers have been assigned to these vulnerabilities. Since these exist in the upstream Linux kernel, the upstream kernel team is the only authority that can assign CVEs for them. Per their assignment process, IDs are typically issued one to two weeks after a fix lands in a stable kernel release, an intentional delay meant to give users who regularly track stable releases time to patch before vulnerabilities are publicly catalogued. While we respect the intent behind this approach, it’s worth noting that the assumptions underpinning this process don’t always align with how security tracking and patching work in practice, not just in enterprise environments, but across the broader ecosystem where CVEs serve as a critical coordination signal. Don’t let the absence of a CVE number downplay the significance. If you’re running affected versions, treat this advisory seriously and update accordingly.
Qualys has conducted a thorough review of our products and platforms and confirmed that our solutions are secure and unaffected.
Security Context & Vulnerability Mechanism
AppArmor functions as a Mandatory Access Control (MAC) framework whose source has been included in the mainline Linux kernel since version 2.6.36 (from 2010), and which ships enabled by default in several major distributions, notably Ubuntu, Debian, and SUSE. By binding security profiles to individual applications rather than users, it enforces a zero-trust posture within containers, cloud orchestration platforms, and edge devices. Its prevalence across these distributions and Kubernetes environments means that any compromise of AppArmor directly undermines the foundational trust boundary for millions of enterprise infrastructure endpoints simultaneously.
To clarify, this is an implementation-specific design flaw, not a failure of AppArmor’s underlying security model. A flaw in the AppArmor implementation does not mean Mandatory Access Control (MAC) is flawed; it means the kernel module code handling profiles had specific errors.
The CrackArmor vulnerabilities exploit a classic confused deputy flaw within this architecture. In essence, an unprivileged actor can manipulate a privileged process to perform actions on their behalf—effectively tricking trusted tools into bypassing controls they cannot access directly.
Analogy: This is comparable to an intruder convincing a building manager with master keys to open restricted vaults that the intruder cannot enter alone. In this scenario, attackers leverage trusted tools like Sudo or Postfix to modify protected AppArmor profiles via pseudo-files (/sys/kernel/security/apparmor/.load, .replace). This bypasses user-namespace restrictions and allows for arbitrary code execution within the kernel, collapsing container isolation and enabling local privilege escalation (LPE) to root.
Versions Affected by CrackArmor Vulnerabilities and Immediate Action Required
All Linux kernels since v4.11 are vulnerable on any distribution that integrates AppArmor — including Ubuntu, Debian, SUSE, and their derivatives — exposing a flaw that any unprivileged local user can exploit.
A wide range of Linux distributions may be affected as AppArmor is widely adopted across many major distros. Please refer to your distribution’s vendor advisories and patches for a complete list of vulnerable versions and available fixes. Qualys customers can visit this page for the latest list of QIDs to scan their environment.
Immediate Action Required:
Patch Immediately: Apply vendor security updates for AppArmor components across all affected distributions.
Scan Exposure: Use Qualys QIDs to identify internet-facing assets with risky open ports or unpatched kernels.
Monitor Profiles: Implement monitoring for unexpected changes in /sys/kernel/security/apparmor/ which may indicate active exploitation attempts.
Understanding the Potential Impact of the CrackArmor Vulnerabilities
Unprivileged local actors can manipulate AppArmor profiles to disable critical service protections or enforce deny-all policies, thereby inducing denial-of-service (DoS) attacks. Combined with kernel-level flaws inherent in profile parsing, attackers bypass user-namespace restrictions and achieve Local Privilege Escalation (LPE) to full root.
As the default security module across Ubuntu, Debian, and SUSE systems, this flaw makes local access a critical failure vector for these distributions. Policy manipulation compromises the entire host, while namespace bypasses facilitate advanced kernel exploits such as arbitrary memory disclosure. DoS and LPE capabilities result in service outages, credential tampering via passwordless root (e.g., /etc/passwd modification), or KASLR disclosure, which enables further remote exploitation chains. The immediate consequences are a loss of operational continuity, potential data breach, and an expanded attack surface for adversaries.
Technical Deep Dive:
Why Do CrackArmor Vulnerabilities Threaten Linux Security?
AppArmor is a mandatory access control framework that confines processes under its profiles on Linux systems where it is enabled. When this layer is bypassed, the security guarantees it provides — such as restricting file access, network capabilities, and system calls — can no longer be trusted, potentially undermining the isolation of containers, sandboxes, and services that depend on it. The following are some use cases and examples based on the vulnerabilities disclosed today:
Policy Bypass
The confused deputy problem in the vulnerabilities released allows an unprivileged user to load, replace, or remove arbitrary AppArmor profiles by writing to the pseudo‑files /sys/kernel/security/apparmor/.load, .replace, and .remove.
The consequences would be as follows, for example:
Loading a “deny‑all” profile for sshd blocks legitimate SSH access.
Denial of Service
When an AppArmor profile contains deeply nested subprofiles, the kernel’s recursive removal routine (__remove_profile() → __aa_profile_list_release()) can exhaust the kernel stack (≈16 KB on x86‑64). With CONFIG_VMAP_STACK guard pages, this overflow triggers a kernel panic and reboot.
Example: Removing a 1024‑level hierarchy of subprofiles leads to system crash.
Profile Loss on Restart
AppArmor’s init and service logic can unload profiles during upgrades or restarts, leaving processes unconfined without any alert to administrators.
Impact: Services run with full privileges unintentionally.
Local Privilege Escalation (LPE) to Root
The ability to manipulate AppArmor profiles enables multiple LPE vectors:
User‑space LPE: By loading a profile that denies CAP_SETUID to sudo, and manipulating the MAIL_CONFIG environment variable, an attacker can cause sudo to send mail as root (via Postfix’s sendmail) and obtain a root shell.
Kernel‑space LPE: Exploiting the use‑after‑free in aa_loaddata, an attacker can reallocate the freed page as a page table mapping /etc/passwd, overwrite the root password line, and gain full root privileges via su.
Container/Namespace Breakout
By loading a “userns” profile for /usr/bin/time, unprivileged users can create fully‑capable user namespaces, bypassing Ubuntu’s user‑namespace restrictions that were previously mitigated.
AppArmor is the trust boundary of Linux confinement. If it fails silently—whether through policy manipulation, kernel crashes, or privilege escalation—the entire security stack (container isolation, least‑privilege enforcement, service hardening) collapses. Administrators must patch AppArmor promptly and monitor for unusual profile changes to prevent the material degradation of security posture.
Technical Details of the CrackArmor vulnerabilities:
You can find the technical details of these vulnerabilities at:
To ensure transparency regarding our responsible disclosure process, we have included the full communication log in the advisory. This coordination spanned several months to ensure that fixes were robust and stable across all Linux distributions prior to public release.
We believe that responsible disclosure requires patience and trust. However, the coordination process for these vulnerabilities extended significantly beyond typical timelines due to multiple rounds of patch review and communication delays with upstream maintainers. We have documented every step to highlight the diligence our researchers must exercise to ensure a safe release for all users.
We thank Ubuntu’s security team, Canonical’s AppArmor developers, Sudo’s maintainer, Debian’s security team, SUSE’s security team, and the members of the linux-distros mailing list for their hard work on this release.
Qualys QID Coverage for Detecting the CrackArmor vulnerabilities:
Qualys is releasing the QIDs in the table below as they become available.
Qualys customers can use QID 45097 – Linux Kernel Version Running to identify the Linux kernel version active on the system at the time of the scan.
QID
Title
VulnSigs Version
386714
AppArmor Local Privilege Escalation Vulnerability (CrackArmor)
To be released approximately 5pm PST, 3/12/2026
Immediate Action Required: Scan all Linux endpoints using QID(s). Prioritize patching for internet-facing assets and verify AppArmor profile integrity.
Please check the Qualys Vulnerability Knowledgebase for the full list of coverage for this vulnerability.
Discover Vulnerable CrackArmor Assets with Qualys CyberSecurity Asset Management
The initial and crucial step in managing this critical vulnerability and mitigating associated risks is identifying all assets susceptible to this issue. Use CyberSecurity Asset Management 3.0 with External Attack Surface Management to identify your organization’s internet-facing instances and container/Kubernetes nodes that have vulnerable versions of CrackArmor vulnerabilities.
In the following example, we aim to identify all assets running Ubuntu, Debian, and SUSE:
software:(name:"apparmor") and operatingSystem.name: ["Ubuntu", "Debian", "SUSE"]
CyberSecurity Asset Management maintains a catalog of hardware and software lifecycle data built and curated by a dedicated research team, covering over 5,500 software publishers and 300,000 software releases, with automated daily updates to all CyberSecurity Asset Management customers.
Free Trial
Start a free trial of Qualys CyberSecurity Asset Management (CSAM) Today.
Enhancing Your Security Posture with Qualys VMDR to Detect and Remediate CrackArmor Vulnerabilities
Qualys VMDR provides comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond, prioritize, and mitigate associated risks. Additionally, Qualys customers can leverage Qualys Patch Management to effectively remediate these vulnerabilities.
Leverage the power of Qualys VMDR alongside TruRiskTM and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, including container and Kubernetes nodes, effectively addressing the vulnerabilities highlighted above.
Automatically Patch CrackArmor Vulnerabilities with Qualys Patch Management
We expect vendors to release patches for this vulnerability shortly. Qualys Patch Management can automatically deploy those patches to vulnerable assets when they become available.
Customers can use the “patch now” button found to the right of the vulnerability to add CrackArmor to a patch job. Once patches are released, Qualys will find the relevant patches for this vulnerability and automatically add those patches to a patch job. This will allow customers to deploy those patches to vulnerable devices, all from the Qualys platform.
Free Trial
Start a free trial of Qualys TruRisk Eliminate Today.
Respond to Exploitation and Enable Compensating Controls with Qualys Container Security
If you are already exposed by these vulnerabilities, there may be containers that have broken out in your environment. With deep runtime visibility and protection, Qualys Container Security can detect and respond to container breakouts in your environment.
You can also leverage Qualys Admission Controller to prevent new containers in your Kubernetes clusters from performing a breakout with preventative and restrictive pre-deployment controls.
