The Qualys Threat Research Unit has disclosed nine vulnerabilities in Linux AppArmor, collectively named CrackArmor, that allow unprivileged local users to bypass kernel protections, escalate to root, and break container isolation. Qualys said the flaws have existed since 2017 in Linux kernel version 4.11 and affect systems that integrate AppArmor by default, including Ubuntu, Debian, SUSE, and their derivatives.
Qualys said the issue stems from confused-deputy flaws in AppArmor that let unprivileged users manipulate security profiles through pseudo-files, bypass user-namespace restrictions, and execute arbitrary code in the kernel. The company said its asset data shows more than 12.6 million enterprise Linux instances run with AppArmor enabled by default.
As of publication, Qualys said no CVE identifiers have been assigned to the vulnerabilities. Canonical also said the flaws are being tracked as CrackArmor and that the AppArmor kernel issues, the related sudo bug, and the hardening changes for su are not yet tied to public CVE IDs.
“As of publication, no CVE identifiers have been assigned to these vulnerabilities.” — Qualys
Qualys said the vulnerabilities can be used to load deny-all profiles against critical services, trigger kernel panic conditions through recursive stack exhaustion on x86-64 systems, bypass Ubuntu user-namespace restrictions, and achieve local privilege escalation to full root. The research also says the same trust-boundary failure can weaken container confinement, turning a local access bug into a broader infrastructure risk for Linux hosts running container workloads.
Canonical says kernel patches and userspace mitigations are available
In a separate security post, Canonical said all of the reported AppArmor vulnerabilities require unprivileged local user access and that supported Ubuntu releases are affected differently. The company said Linux kernel security updates address all of the AppArmor vulnerabilities identified by Qualys and recommended applying both userspace mitigations and kernel security updates.
Canonical said exploitation on host systems that are not running container workloads requires the cooperation of a privileged application, while container deployments that execute attacker-controlled images may be exposed without a cooperating privileged userspace application. The company added that this could theoretically enable container escape scenarios, although it said that had not been practically demonstrated at the time of writing.
The Ubuntu vendor notice says the related sudo vulnerability can be chained with the AppArmor flaws to facilitate local privilege escalation in host deployment scenarios, while updates to the util-linux package harden su to make that path harder to exploit. Canonical said the kernel update remains the only complete remediation for the AppArmor flaws themselves.
The CrackArmor disclosure adds another high-impact Linux security story to a broader body of reporting on how foundational trust boundaries can fail under pressure, from Cyberwarzone’s review of MCP vulnerabilities and AI security risks to its analysis of how Stuxnet reshaped cyber-physical threat models.
