Qualys on CrackArmor

posted by Roy Schestowitz on Mar 14, 2026,
updated Mar 18, 2026

• Qualys ☛ CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation to Root

  Qualys TRU has discovered confused deputy vulnerabilities in AppArmor (named “CrackArmor”) that allow unprivileged users to bypass kernel protections, escalate to root, and break container isolation. The flaw has existed since 2017, and affected over 12.6 million systems globally. Immediate kernel patching is recommended to neutralize these vulnerabilities.

• LWN ☛ A set of AppArmor vulnerabilities

  Qualys has sent out a

  somewhat breathless advisory describing a number of vulnerabilities in

  the AppArmor security module, which is used in a number of Debian-based

  distributions (among others).

• Dolphin Publications B V ☛ Linux security layer extremely vulnerable: 12.6 million systems affected

  Nine critical vulnerabilities have been found in AppArmor, a Linux Security Module standard on Ubuntu, Debian, and SUSE. Together, they are referred to as CrackArmor. The vulnerabilities allow unauthorized users to bypass kernel protections, obtain root privileges, and break container isolation.

• IT Pro ☛ Alert issued over critical vulnerabilities in Linux’s AppArmor security layer – more than 12 million enterprise systems are at risk of root access

  Qualys researchers have uncovered a set of nine vulnerabilities in Linux's built-in security layer, AppArmor, that affect more than 12 million enterprise systems around the world.

  Researchers at the company's Threat Research Unit said the flaws allow unprivileged local users to circumvent kernel protections, escalate to root privileges, and weaken container isolation.

• Qualys research details nine AppArmor flaws affecting enterprise Linux systems

  Researchers at Qualys’ Threat Research Unit (TRU) have disclosed a set of nine vulnerabilities in AppArmor, a Linux security module used to confine application permissions, warning the issues could expose a large number of enterprise systems.

• Hacker News ☛ Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation

  Cybersecurity researchers have disclosed multiple security vulnerabilities within the Linux kernel's AppArmor module that could be exploited by unprivileged users to circumvent kernel protections, escalate to root, and undermine container isolation guarantees.

  The nine confused deputy vulnerabilities have been collectively codenamed CrackArmor by the Qualys Threat Research Unit (TRU). The cybersecurity company said the issue has existed since 2017. No CVE identifiers have been assigned to the shortcomings.

  AppArmor is a Linux security module that provides mandatory access control (MAC) and secures the operating system against external or internal threats by preventing known and unknown application flaws from being exploited. It has been included in the mainline Linux kernel since version 2.6.36.

• IT Brief Australia ☛ CrackArmour flaws in AppArmour risk Linux root access

  Qualys researchers have identified nine vulnerabilities in AppArmour that, they say, could let an unprivileged local Linux user gain root access and weaken container isolation on affected systems.

  Dubbed CrackArmour, the issues relate to how the Linux kernel handles AppArmour security profiles. Qualys characterised the underlying pattern as a "confused deputy" problem, in which a low-privilege user influences a trusted process to perform an action that would normally be blocked.

Two late pieces:

• Nine critical vulnerabilities in Linux AppArmor put over 12M enterprise systems at risk

  Security researchers at Qualys have disclosed nine vulnerabilities in AppArmor, the Linux Security Module that ships enabled by default across Ubuntu, Debian, and SUSE distributions.

  An unprivileged local attacker can exploit the flaws to gain full root access, break out of container isolation, and crash systems, all without requiring administrative credentials, the researchers said in a blog post.

  Dubbed “CrackArmor” by the Qualys Threat Research Unit (TRU), the vulnerabilities have existed since Linux kernel version 4.11, released in 2017. Qualys’s own asset management telemetry puts the exposed attack surface at over 12.6 million enterprise Linux instances running AppArmor by default, a figure that grows further when Kubernetes clusters, IoT deployments, and edge environments are counted, the blog post said.

• CrackArmor Flaws Expose Linux Systems to Privilege Escalation

  A set of newly identified vulnerabilities in the Linux security module AppArmor could allow attackers to gain root access, bypass system protections and trigger service outages across millions of systems.

  The issues, collectively named 'CrackArmor,' were discovered by the Qualys Threat Research Unit (TRU). The researchers identified nine flaws that have existed in the Linux kernel since version 4.11 in 2017.

  Because AppArmor is enabled by default in widely used Linux distributions, including Ubuntu, Debian and SUSE, the exposure is extensive.

3 more

• Unprivileged users could exploit AppArmor bugs to gain root access

  Researchers found nine “CrackArmor” flaws in Linux AppArmor that could let unprivileged users bypass protections, gain root privileges, and weaken container isolation.

  Qualys researchers disclosed nine vulnerabilities, collectively tracked as CrackArmor, in the Linux kernel’s AppArmor module.

  The flaws have existed since 2017 and could allow unprivileged users to bypass protections, escalate privileges to root, run code in the kernel, or cause denial-of-service conditions.

  AppArmor is a Linux security module that protects the operating system and applications by enforcing strict behavior rules to block both known and unknown threats, including zero-day attacks. It adds mandatory access control to the traditional Unix discretionary access model and has been part of the Linux kernel since version 2.6.36, with development supported by Canonical since 2009.

• Linux AppArmor Flaws Expose Millions of Systems to Privilege Escalation Risk, Researchers Warn

  Researchers at Qualys have uncovered a set of vulnerabilities in the widely used Linux security module AppArmor that could allow attackers to gain elevated privileges on affected systems.

  The vulnerabilities, collectively dubbed “CrackArmor,” were identified by the company’s Qualys Threat Research Unit and stem from flaws present in the Linux kernel since version 4.11 released in 2017.

• Qualys Threat Research Unit Discovers "CrackArmor," Nine Vulnerabilities in Millions of Linux Systems

  The Qualys Threat Research Unit (TRU) today announced its discovery of “CrackArmor,” a set of nine vulnerabilities within AppArmor, a widely used security module in the Linux kernel. These flaws have left over 12 million enterprise systems running Ubuntu, Debian, and SUSE distributions exposed since 2017, enabling local attackers to gain full root access, execute container breakouts, and cause system-wide crashes.

And here:

• 9 AppArmor vulnerabilities expose millions of Linux systems to root access

  As reported by HackRead, nine critical vulnerabilities have been discovered in AppArmor, a widely used security tool for Linux systems. These flaws, present since 2017, could potentially affect over 12.6 million enterprise systems, including those running Ubuntu, Debian, and SUSE.

• Critical AppArmor Flaws Expose Millions of Linux Systems to Local Root Attacks

  Millions of Linux systems are now at risk after researchers discovered critical flaws in AppArmor, a security feature enabled by default across major distributions. These vulnerabilities (dubbed “CrackArmor”) allow unprivileged users to bypass protections, escape container boundaries, and ultimately gain full root control.