On 12 March 2026 Canonical shipped the fixes for CrackArmor, the set of AppArmor flaws found by the Qualys Threat Research Unit. What stands out about this round is that the fix doesn’t live in a single package. Ubuntu spread the mitigations across the Linux kernel, sudo (and sudo-ldap) and util-linux. Understanding why all three are needed keeps you from patching only half the problem.
What CrackArmor is
AppArmor is the mandatory access control mechanism enabled by default on Ubuntu. CrackArmor groups nine “confused deputy” vulnerabilities: an unprivileged local user gets a higher-privileged process to do the dirty work on their behalf. The base flaw, CVE-2026-23268, lets an unprivileged user open privileged control files; if a setuid application then writes to them, AppArmor profiles can be manipulated or removed entirely. From there you reach local privilege escalation to root, kernel memory information leaks, security bypasses and, on machines running untrusted images, container escape.
The bug has been in the kernel since version 4.11 (2017), so it affects any system with AppArmor enabled, not just Ubuntu. Qualys put the number of exposed systems at more than 12 million.
Why three packages
This is the interesting part. The core flaws live in the kernel, and that’s where most of the eleven assigned patches go (from CVE-2026-23268 and 23269 to the CVE-2026-234xx series). But the exploitation chain needs two more pieces in userspace.
The first is util-linux. The su utility behaves unsafely and acts as the lever that makes the attack work. It can only be triggered by unprivileged users who have a password set, though that detail is little comfort on a multi-user box.
The second is sudo/sudo-ldap, tracked as CVE-2026-35535. Qualys found a separate flaw in sudo, in its email notification feature, that on its own enables local privilege escalation when chained with the AppArmor flaws and the privileged su application. On Ubuntu it affects Noble (24.04 LTS) and Questing Quokka (25.10).
Who is affected and what to do
Every supported Ubuntu release, from 14.04 LTS to 25.10, needs the kernel update. Bionic (18.04) and Xenial (16.04) don’t have the full privilege-escalation chain, but they remain exposed to denial of service.
Canonical was explicit: apply both the userspace mitigations and the kernel security updates. The userspace fixes landed at once for every supported release, while the kernel patches rolled out progressively. If you update only the kernel and leave sudo or util-linux behind, the attack chain stays partly open.
The routine is the usual one:
sudo apt update && sudo apt upgradeA reboot is required after installing the new kernel. If you have automatic updates enabled (unattended-upgrades), the patches should arrive on their own within the first 24 hours, but it’s worth verifying rather than trusting it blindly on critical servers.
If you run machines hosting containers built from third-party images, put those at the front of the queue: container escape is one of the scenarios CrackArmor opens up.