{"id":15962,"date":"2026-03-16T11:11:23","date_gmt":"2026-03-16T11:11:23","guid":{"rendered":"https:\/\/newestek.com\/?p=15962"},"modified":"2026-03-16T11:11:23","modified_gmt":"2026-03-16T11:11:23","slug":"nine-critical-vulnerabilities-in-linux-apparmor-put-over-12m-enterprise-systems-at-risk","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15962","title":{"rendered":"Nine critical vulnerabilities in Linux AppArmor put over 12M enterprise systems at risk"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Security researchers at Qualys have disclosed nine vulnerabilities in AppArmor, the Linux Security Module that ships enabled by default across Ubuntu, Debian, and SUSE distributions.<\/p>\n<p>An unprivileged local attacker can exploit the flaws to gain full root access, break out of container isolation, and crash systems, all without requiring administrative credentials, the researchers said in a blog post.<\/p>\n<p>Dubbed \u201cCrackArmor\u201d by the Qualys Threat Research Unit (TRU), the vulnerabilities have existed since Linux kernel version 4.11, released in 2017. Qualys\u2019s own asset management telemetry puts the exposed attack surface at over 12.6 million enterprise Linux instances running AppArmor by default, a figure that grows further when Kubernetes clusters, IoT deployments, and edge environments are counted, the blog post said.<\/p>\n<p>\u201cAs the default mandatory access control mechanism for Ubuntu, Debian, SUSE, and numerous cloud platforms, its ubiquity across enterprise environments, Kubernetes, IoT, and edge environments amplifies the threat surface significantly,\u201d the researchers <a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2026\/03\/12\/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root\" target=\"_blank\" rel=\"noreferrer noopener\">wrote in the blog post<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"a-fundamental-design-flaw\">A fundamental design flaw<\/h2>\n<p>At the heart of CrackArmor is what Qualys describes as a \u201cconfused deputy\u201d problem, a class of vulnerability in which a privileged process is tricked into performing unauthorized actions on behalf of an unprivileged user. In the advisory, Qualys likened it to \u201can intruder convincing a building manager with master keys to open restricted vaults that the intruder cannot enter alone.\u201d<\/p>\n<p>In practice, the researchers said, a standard local user account is sufficient to manipulate AppArmor\u2019s security profiles \u2013 the rules that govern what individual applications are permitted to do on a Linux system.<\/p>\n<p>\u201cBy routing commands through trusted system tools, an unprivileged attacker can load, replace, or remove those profiles entirely. An attacker can strip protections from critical system services, lock all users out of remote access by targeting the SSH daemon, or bypass Ubuntu\u2019s restrictions on unprivileged user namespaces, even after all previously known workarounds were closed,\u201d the advisory said.<\/p>\n<h2 class=\"wp-block-heading\" id=\"from-profile-manipulation-to-root-shell\">From profile manipulation to root shell<\/h2>\n<p>The blog post detailed a full privilege escalation chain demonstrated on a default Ubuntu Server installation with the Postfix mail server. By loading a crafted security profile that blocks a specific privilege-dropping capability in Sudo, the researchers said they forced Sudo into a \u201cfail-open\u201d condition: unable to shed its root privileges before invoking the system\u2019s mail agent, Sudo runs the process as root while preserving the attacker\u2019s environment.<\/p>\n<p>The result is arbitrary command execution as root, the researchers wrote.<\/p>\n<p>\u201cThese findings expose critical gaps in our reliance on default security assumptions,\u201d the blog post said. \u201cIt fundamentally undermines system confidentiality, integrity, and availability globally.\u201d<\/p>\n<p>\u201cCrackArmor proves that even the most entrenched protections can be bypassed without admin credentials,\u201d Qualys CTO Dilip Bachwani said in the blog post. \u201cFor CISOs, this means patching alone isn\u2019t enough; we must re-examine our entire assumption of what \u2018default\u2019 configurations mean for our infrastructure.\u201d<\/p>\n<p>This is not the first time Qualys researchers have uncovered serious privilege escalation vulnerabilities in default Linux components. In 2022, <a href=\"https:\/\/www.csoonline.com\/article\/572103\/dangerous-privilege-escalation-bugs-found-in-linux-package-manager-snap.html\">the company disclosed two flaws in Snap<\/a>, Ubuntu\u2019s universal application packaging system, that similarly allowed a low-privileged user to execute malicious code as root.<\/p>\n<h2 class=\"wp-block-heading\" id=\"kernel-level-bugs-compound-the-risk\">Kernel-level bugs compound the risk<\/h2>\n<p>Beyond the profile-manipulation vector, Qualys said it identified four kernel-level vulnerabilities within AppArmor\u2019s own code. One flaw can be exploited to crash the entire system by forcing a reboot, the advisory said.<\/p>\n<p>Another one allows an attacker to read protected kernel memory, exposing internal addresses that security mitigations are designed to hide and making follow-on exploits easier to execute. Two other vulnerabilities were each demonstrated as independent paths to full root access, even on systems with modern exploit mitigations enabled by default, the blog post said.<\/p>\n<p>AppArmor has previously been cited as a key mitigating control against other Linux vulnerabilities. When the <a href=\"https:\/\/www.csoonline.com\/article\/572261\/dirty-pipe-root-linux-vulnerability-can-also-impact-containers.html\">Dirty Pipe privilege escalation flaw<\/a> threatened container environments in 2022, AppArmor was among the hardening measures recommended to limit exposure.<\/p>\n<h2 class=\"wp-block-heading\" id=\"no-cve-numbers-but-patches-are-available\">No CVE numbers, but patches are available<\/h2>\n<p>No CVE identifiers have been assigned to any of the nine vulnerabilities as of publication. The Linux kernel CVE assignment process intentionally delays issuing identifiers until one to two weeks after a fix lands in a stable release, the researchers said in the blog post. \u201cDon\u2019t let the absence of a CVE number downplay the significance,\u201d the researchers wrote in the blog post. \u201cIf you\u2019re running affected versions, treat this advisory seriously and update accordingly.\u201d<\/p>\n<p>The company added that patches were published in Linus Torvalds\u2019 upstream kernel tree on March 12, following a coordinated disclosure process involving Ubuntu\u2019s security team, Canonical\u2019s AppArmor developers, Debian, SUSE, and Sudo\u2019s maintainer that stretched over eight months. \u201cImmediate kernel patching remains the non-negotiable priority for neutralizing these critical vulnerabilities,\u201d the researchers wrote in the blog post.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers at Qualys have disclosed nine vulnerabilities in AppArmor, the Linux Security Module that ships enabled by default across Ubuntu, Debian, and SUSE distributions. An unprivileged local attacker can exploit the flaws to gain full root access, break out of container isolation, and crash systems, all without requiring administrative credentials, the researchers said in a blog post. Dubbed \u201cCrackArmor\u201d by the Qualys Threat Research&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15962\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15962","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15962","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15962"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15962\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15962"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15962"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15962"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}