Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation
Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation
https://thehackernews.com/2026/03/nine-crackarmor-flaws-in-linux-apparmor.html
Publish Date: 2026-03-13 04:18:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed multiple security vulnerabilities within the Linux kernel’s AppArmor module that could be exploited by unprivileged users to circumvent kernel protections, escalate to root, and undermine container isolation guarantees.
The nine confused deputy vulnerabilities have been collectively codenamed CrackArmor by the Qualys Threat Research Unit (TRU). The cybersecurity company said the issue has existed since 2017. No CVE identifiers have been assigned to the shortcomings.
AppArmor is a Linux security module that provides mandatory access control (MAC) and secures the operating system against external or internal threats by preventing known and unknown application flaws from being exploited. It has been included in the mainline Linux kernel since version 2.6.36.
“This ‘CrackArmor’ advisory exposes a confused deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel,” Saeed Abbasi, senior manager of Qualys TRU, said.
“These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads.”
Confused deputy vulnerabilities occur when a privileged program is coerced by an unauthorized user into misusing its privileges to perform unintended, malicious actions. The problem essentially exploits the trust associated with a more-privileged tool to execute a command that leads to privilege escalation.
Qualys said an entity that doesn’t have permissions to perform an action can manipulate AppArmor profiles to disable critical service protections or enforce deny-all policies, triggering denial-of-service (DoS) attacks in the process.
“Combined with kernel-level flaws inherent in…
