Cybersecurity experts have revealed a set of serious security weaknesses in the Linux kernel’s AppArmor security module that could allow unprivileged local users to bypass kernel defenses, gain full root privileges, and compromise container isolation.
The vulnerabilities nine in total are a class of confused deputy flaws collectively dubbed CrackArmor by the Qualys Threat Research Unit (TRU). According to Qualys, the issues have been present in AppArmor since 2017, although no CVE identifiers have yet been assigned.
AppArmor is a Linux Security Module (LSM) that enforces mandatory access control (MAC), limiting how applications interact with system resources to reduce the impact of both known and unknown vulnerabilities. The framework has been part of the mainline Linux kernel since version 2.6.36 and is widely enabled by default across major distributions.
According to Saeed Abbasi, Senior Manager at Qualys TRU, the CrackArmor flaws stem from a confused deputy condition that allows unprivileged users to tamper with AppArmor security profiles through pseudo-files. By abusing these mechanisms, attackers can bypass user-namespace restrictions and potentially execute arbitrary code within the kernel.
Abbasi explained that the vulnerabilities enable local privilege escalation to root through complex interactions with commonly trusted utilities such as sudo and Postfix. In addition, the flaws can be leveraged to trigger denial-of-service conditions via stack exhaustion, as well as bypass Kernel Address Space Layout Randomization (KASLR) using out-of-bounds memory reads.
Confused deputy vulnerabilities arise when a privileged component is manipulated by a less-privileged actor into performing actions that exceed the attacker’s original permissions. In this case, the trust placed in AppArmor-enabled tools can be abused to execute operations that ultimately lead to privilege escalation.
Qualys noted that attackers without sufficient permissions can manipulate AppArmor profiles to disable protections on critical services or enforce overly restrictive deny-all rules, resulting in service disruption and denial-of-service attacks.
When combined with flaws in kernel-level profile parsing, these weaknesses allow attackers to circumvent user-namespace boundaries and achieve full local privilege escalation to root, the company said.
“Policy manipulation places the entire host at risk, while namespace bypasses open the door to advanced kernel exploitation techniques such as arbitrary memory disclosure,” Qualys added. “The resulting denial-of-service and privilege escalation capabilities can lead to service outages, credential manipulation through passwordless root access such as modifying /etc/passwd—or KASLR leaks that enable further exploitation chains.”
The situation is further aggravated by CrackArmor’s ability to let unprivileged users create fully functional user namespaces. This effectively undermines Ubuntu’s AppArmor-based restrictions on user namespaces and weakens core security principles including container isolation, least-privilege enforcement, and service hardening.
To reduce immediate risk, Qualys stated that it is withholding proof-of-concept exploit code for the identified vulnerabilities, giving organizations time to apply patches and reduce exposure.
The flaws impact all Linux kernels from version 4.11 onward on systems where AppArmor is enabled. With more than 12.6 million enterprise Linux instances running AppArmor by default across major distributions such as Ubuntu, Debian, and SUSE, Qualys strongly recommends immediate kernel updates.
Abbasi emphasized that applying vendor-provided kernel patches is the only reliable mitigation. “Immediate kernel patching is non-negotiable for neutralizing these critical vulnerabilities,” he said, noting that temporary workarounds do not provide the same level of protection as restoring the corrected code paths.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
