Qualys’s Threat Research Unit (TRU) has published the details of CrackArmor, a set of nine vulnerabilities in the Linux kernel’s AppArmor module. The uncomfortable part is the age of the code: the flawed logic has been there since version 4.11, released in 2017. For nearly nine years any system running AppArmor by default carried the bug without anyone noticing.
AppArmor is one of the most widely deployed Linux Security Modules. Ubuntu, Debian, SUSE and their derivatives ship it enabled out of the box to confine processes through profiles that restrict which files and capabilities each program can touch. The irony of CrackArmor is that the very mechanism designed to contain processes becomes the path in.
What a confused deputy flaw means
The problem falls under the confused deputy pattern. A privileged kernel component acts on behalf of a user without properly checking whether that user had the right to request the operation. With AppArmor, an unprivileged local user can manipulate security profiles through the pseudo-files exposed in /sys/kernel/security/apparmor/, leaning on trusted tools like sudo or Postfix to write changes they could never make directly. The attacker doesn’t pick the lock. They talk the keyholder into opening it.
Qualys lists several concrete outcomes:
- Local privilege escalation to root through policy manipulation.
- Kernel memory disclosure via out-of-bounds reads, which defeats KASLR and smooths the way for later exploits.
- Denial of service through recursive stack exhaustion, ending in kernel panics.
- Container breakout by bypassing Ubuntu’s user-namespace restrictions, a direct hit on Kubernetes nodes and multi-tenant setups.
- Loading deny-all profiles that block legitimate access to services.
Who is affected and how serious it is
This is a local escalation: the attacker already needs an account or a process on the machine. It is not exploitable straight from the internet. The severity is still high because it turns any foothold (a compromised web app, a low-privilege shell, an escapable container) into full control of the host.
Qualys puts the figure at more than 12.6 million potentially vulnerable systems worldwide, spread across cloud, Kubernetes, IoT and edge environments. The full set covers eleven patches for nine flaws: CVE-2026-23268, CVE-2026-23269 and the run from CVE-2026-23403 to CVE-2026-23411. Each one requires unprivileged local access. You can check which kernel versions are still supported on the Linux kernel page in this directory.
Mitigation
The advice is plain: apply the kernel update as soon as your distribution ships it. Patching the kernel is the only reliable fix; the interim mitigations floating around don’t cover every vector. Debian and Ubuntu have already released corrections, Debian through advisories DSA-6162-1 and DSA-6163-1, and Canonical with kernel patches plus user-space fixes in sudo and util-linux, since part of the exploit chain runs through those utilities.
If you can’t patch right away, watch /sys/kernel/security/apparmor/ for unauthorized profile changes and tighten container controls. Treat that as a stopgap. The real fix is an updated kernel and a reboot to load the corrected code. Prioritize internet-facing assets and Kubernetes nodes, where a broken isolation boundary costs the most.
Source
- Qualys Threat Research Unit — CrackArmor: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root
- NVD — CVE-2026-23403: https://nvd.nist.gov/vuln/detail/CVE-2026-23403