A series of vulnerabilities affecting Linux’s AppArmor – a security layer “built-in” to many mainstream Linux distributions including Ubuntu and OpenSUSE – give an unprivileged local user the ability to escalate privileges to root under certain circumstances, as well as crash systems.

All Linux kernels since v4.11 (released in April 2017) are vulnerable on any distribution that integrates AppArmor, security firm Qualys said; although impacted distro release versions are affected differently by the nine vulnerabilities. (Red Hat, which uses SeLinux instead of AppArmor, is not affected; nor is Amazon Linux or Fedora, for the same reason.)

The vulnerabilities have been dubbed CrackArmor by Qualys. 

Canonical said in a security advisory: “The impact of these vulnerabilities ranges from denial of service to kernel memory information leak, removing security controls, and local privilege escalation to root user…

"[We have] provided userspace mitigations in the form of security updates, for all affected Ubuntu releases. Our recommendation is that you apply both userspace mitigations and Linux kernel security updates."

We keep our cybersecurity reporting free, for public interest reasons. Subscribing (£25/m or £250/y) supports our ability to do this and also gets you discounted event tickets, and exclusive access to deep-dives, CIO and CTO interviews and more.

Join them!

AppArmor augments the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been included in the mainline Linux kernel for over 16 years (since version 2.6.36). Its development has been supported by Canonical since 2009.

Despite having first shared a batch of the nine security vulnerabilities with the Ubuntu publisher Canonical as early as July 2025, the vulnerabilities (frustratingly) still do not have CVEs assigned.

That’s due, in part, to esoterica around how Linux allocates CVEs; perhaps also due to the fact that there are only three core members of the Linux kernel CNA team and an estimated eight bugs an hour landing (albeit many of which are automatically filtered out from the potential CVE allocation process; per the [http-only] link above.) 

Organisations tempted to forgo patching due to a lack of detail/CVEs or the assumption that Linux kernel bugs don't get exploited in the wild should review Canonical's advisory closely, be mindful of these entries in CISA's KEV, and aware of the fact that LLMs are making it vastly easier to develop working exploits based on public patch diffs.

CrackArmor: "Communication delays" pointedly noted

A timeline of disclosure suggests concern on Qualys’ side at the pace of response to the issue by AppArmor’s maintainer.

“2025-12-15: Sent a mail to Ubuntu's security team and Canonical's AppArmor developers to share our worries about the state of this vulnerability disclosure. 2026-01-14: Sent another mail to Ubuntu's security team and Canonical's AppArmor developers to share our worries about the state of this vulnerability disclosure,” a timeline shows. 

It took until March 12 and five rounds of patch versions being shipped back to Qualys for review before they were published upstream today.

Qualys said tartly: “We believe that responsible disclosure requires patience and trust. However, the coordination process for these vulnerabilities extended significantly beyond typical timelines due to multiple rounds of patch review and communication delays with upstream maintainers…” 

Canonical’s security team in a detailed advisory today (March 13) said: "All of the vulnerabilities rely on a fundamental “confused deputy” problem for exploitation in host deployments – this is one of the AppArmor kernel vulnerabilities, referred to as CVE-2026-XXXX.*

"Any unprivileged application can open certain privileged control files under securityfs (usually mounted under /sys/kernel/security/) for writing, with permissions only checked upon actually writing data; if a privileged application can be tricked into writing the correct format to an opened file descriptor, the behaviour can be abused to load, remove, or change existing AppArmor profiles.”

They added, sharing guidance: “Exploiting this vulnerability requires a cooperating privileged (e.g. setuid root) application. The Qualys team have demonstrated the use of the su utility to perform AppArmor policy management, an otherwise privileged operation, from an unprivileged user” but noted “this only works for unprivileged users with passwords set.”

Debian said: “For the stable distribution (trixie), these problems have been fixed in version 6.12.74-2. We recommend that you upgrade your linux packages.” The Stack had not seen a SUSE advisory as we published.

*Not very helpful… CVEs to follow when they are allocated!

  • Qualys’ advisory is here.
  • Ubuntu’s advisory and guidance is here

Comment welcomed.

See also: McKinsey’s AI chatbot breached, sensitive, proprietary data exposed with $20 in agent tokens

The link has been copied!