Security researchers have disclosed nine critical vulnerabilities in the Linux kernel’s AppArmor module that could allow unprivileged users to escalate privileges to root and bypass container isolation. The flaws, collectively dubbed CrackArmor by the Qualys Threat Research Unit (TRU), have existed since 2017 and exploit “confused deputy” issues in AppArmor.
AppArmor is a Linux security module providing mandatory access control (MAC), designed to prevent applications from exploiting system flaws. Integrated into the Linux kernel since version 2.6.36, AppArmor is widely used in enterprise distributions such as Ubuntu, Debian, and SUSE.
Saeed Abbasi, senior manager at Qualys TRU, explained that the vulnerabilities allow attackers to manipulate AppArmor profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary kernel code. Exploits could leverage tools like Sudo and Postfix to escalate privileges, trigger denial-of-service attacks, or bypass Kernel Address Space Layout Randomization (KASLR).
“Confused deputy flaws occur when a privileged program is tricked into performing unintended actions,” Abbasi said. “CrackArmor enables unprivileged users to manipulate security policies, compromising the host and subverting container isolation, least-privilege enforcement, and service hardening.”
The vulnerabilities enable attackers to create fully-capable user namespaces, effectively bypassing Ubuntu’s AppArmor restrictions, exposing sensitive system credentials, and allowing arbitrary memory disclosure. While Qualys has withheld proof-of-concept exploits to give administrators time to patch systems, the impact could be severe across enterprise environments.
The issues affect all Linux kernels since version 4.11 where AppArmor is enabled. With over 12.6 million enterprise Linux instances relying on AppArmor, immediate kernel patching is strongly recommended. Interim mitigations are insufficient, and only vendor-fixed kernel updates fully address the vulnerabilities.
Administrators are urged to prioritize updates to mitigate the risk of local privilege escalation, container escapes, and denial-of-service conditions.
