Cybersecurity researchers disclosed nine vulnerabilities in the Linux kernel AppArmor module in March 2026 that can let unprivileged users bypass protections and escalate to root. A technical analysis by Qualys Threat Research Unit said the flaws date to 2017 and affect kernels since 4.11, with about 12.6 million enterprise Linux instances running AppArmor by default.
KEY FACTS
- Vulnerabilities Nine confused deputy flaws codenamed CrackArmor
- Affected kernels Linux 4.11 and later
- Impact Local privilege escalation to root and container isolation bypass
- Mitigation Vendor kernel patches advised, proof of concept withheld
The flaws trace to AppArmor profile parsing code introduced in 2017 and are present in all affected kernels since version 4.11. The issues are described as confused deputy vulnerabilities that allow profile manipulation via pseudo-files.
Unprivileged users can manipulate security profiles to disable protections or enforce deny-all policies. Exploits can be chained with utilities such as Sudo and Postfix to escalate privileges, and can produce fully capable user namespaces that bypass Ubuntu user namespace restrictions and weaken container isolation.
Exploitation can cause denial-of-service through stack exhaustion and disclose kernel layout via out-of-bounds reads. Potential impacts include credential tampering, for example modification of /etc/passwd, and avenues for further kernel exploitation.
Public proof-of-concept exploits have been withheld to allow time for patching. Immediate vendor kernel updates are recommended. No CVE identifiers have been assigned at this time.
WHY IT MATTERS
The flaws affect distributions that integrate AppArmor and could compromise host security and container isolation across millions of deployments. Administrators should prioritise vendor kernel updates to reduce exposure.