Qualys on CrackArmor

posted by Roy Schestowitz on Mar 14, 2026

• Qualys ☛ CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation to Root

  Qualys TRU has discovered confused deputy vulnerabilities in AppArmor (named “CrackArmor”) that allow unprivileged users to bypass kernel protections, escalate to root, and break container isolation. The flaw has existed since 2017, and affected over 12.6 million systems globally. Immediate kernel patching is recommended to neutralize these vulnerabilities.

• LWN ☛ A set of AppArmor vulnerabilities

  Qualys has sent out a

  somewhat breathless advisory describing a number of vulnerabilities in

  the AppArmor security module, which is used in a number of Debian-based

  distributions (among others).

• Dolphin Publications B V ☛ Linux security layer extremely vulnerable: 12.6 million systems affected

  Nine critical vulnerabilities have been found in AppArmor, a Linux Security Module standard on Ubuntu, Debian, and SUSE. Together, they are referred to as CrackArmor. The vulnerabilities allow unauthorized users to bypass kernel protections, obtain root privileges, and break container isolation.

• IT Pro ☛ Alert issued over critical vulnerabilities in Linux’s AppArmor security layer – more than 12 million enterprise systems are at risk of root access

  Qualys researchers have uncovered a set of nine vulnerabilities in Linux's built-in security layer, AppArmor, that affect more than 12 million enterprise systems around the world.

  Researchers at the company's Threat Research Unit said the flaws allow unprivileged local users to circumvent kernel protections, escalate to root privileges, and weaken container isolation.

• Qualys research details nine AppArmor flaws affecting enterprise Linux systems

  Researchers at Qualys’ Threat Research Unit (TRU) have disclosed a set of nine vulnerabilities in AppArmor, a Linux security module used to confine application permissions, warning the issues could expose a large number of enterprise systems.

• Hacker News ☛ Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation

  Cybersecurity researchers have disclosed multiple security vulnerabilities within the Linux kernel's AppArmor module that could be exploited by unprivileged users to circumvent kernel protections, escalate to root, and undermine container isolation guarantees.

  The nine confused deputy vulnerabilities have been collectively codenamed CrackArmor by the Qualys Threat Research Unit (TRU). The cybersecurity company said the issue has existed since 2017. No CVE identifiers have been assigned to the shortcomings.

  AppArmor is a Linux security module that provides mandatory access control (MAC) and secures the operating system against external or internal threats by preventing known and unknown application flaws from being exploited. It has been included in the mainline Linux kernel since version 2.6.36.

• IT Brief Australia ☛ CrackArmour flaws in AppArmour risk Linux root access

  Qualys researchers have identified nine vulnerabilities in AppArmour that, they say, could let an unprivileged local Linux user gain root access and weaken container isolation on affected systems.

  Dubbed CrackArmour, the issues relate to how the Linux kernel handles AppArmour security profiles. Qualys characterised the underlying pattern as a "confused deputy" problem, in which a low-privilege user influences a trusted process to perform an action that would normally be blocked.