On 12 March 2026 the Debian security team published DSA-6163-1, a Linux kernel update for the oldstable branch (Debian 12 “Bookworm”). The advisory bundles a large batch of fixes that, according to the official text, can lead to privilege escalation, denial of service or information leaks. The fixed package version is 6.1.164-1.
What the advisory fixes
This isn’t one headline bug. It’s a big collection of accumulated patches across different kernel subsystems. Among the CVEs are the AppArmor flaws discovered by the Qualys Threat Research Unit and named CrackArmor, which let an unprivileged local user bypass kernel protections and, in the worst case, escalate to root. They travel alongside fixes that reach back to 2023 (for example CVE-2023-53424) and run up to the recent CVE-2026-232xx series, plus a healthy number of 2025 bugs.
The advisory doesn’t spell out every CVE in its body. It points to the Debian security tracker and to the Qualys writeup for the full list and the technical detail. That’s normal for kernel updates, where Debian gathers in a single package the patches that have landed upstream over time.
Who is affected
Any machine running Debian 12 Bookworm with an unpatched 6.1 kernel. Since Bookworm is now oldstable, this mostly means servers and systems that haven’t yet moved to Debian 13 “Trixie”. If you run Bookworm in production, this advisory is for you.
A good share of the bundled vulnerabilities are local: they need the attacker to already have access to the system. That doesn’t make them minor. On multi-user setups, shared hosting, or anywhere containers run, a local root escalation is exactly the step that turns a compromised account into full control of the box. The CrackArmor flaws fit that pattern and can also break container isolation.
Severity
Debian doesn’t assign a single global CVSS score to the advisory, but the mix of privilege escalation, denial of service and information disclosure across this many CVEs makes it a high-priority update. The AppArmor flaws alone would justify patching right away, since they’ve been in the kernel for years and affect millions of Debian, Ubuntu and SUSE systems.
How to update
Move the kernel to version 6.1.164-1 or later:
sudo apt update
sudo apt full-upgradeThen reboot to boot the patched kernel, since the fixes touch code that runs early. Check the active version with uname -r before and after the reboot. If you have livepatch or an equivalent in place, review which CVEs it covers and which still need a reboot: many of these bugs can’t be mitigated live.
For the exact CVE list on your install, check the Debian security tracker linked below.
Source
- Official advisory: Debian Security Announce — DSA-6163-1
- Affected system: /en/debian