Unprivileged users could exploit AppArmor bugs to gain root access
Unprivileged users could exploit AppArmor bugs to gain root access
Publish Date: 2026-03-16 04:10:00
Source Domain: securityaffairs.com
Unprivileged users could exploit AppArmor bugs to gain root access
Pierluigi Paganini
March 16, 2026
Researchers found nine “CrackArmor” flaws in Linux AppArmor that could let unprivileged users bypass protections, gain root privileges, and weaken container isolation.
Qualys researchers disclosed nine vulnerabilities, collectively tracked as CrackArmor, in the Linux kernel’s AppArmor module.
The flaws have existed since 2017 and could allow unprivileged users to bypass protections, escalate privileges to root, run code in the kernel, or cause denial-of-service conditions.
AppArmor is a Linux security module that protects the operating system and applications by enforcing strict behavior rules to block both known and unknown threats, including zero-day attacks. It adds mandatory access control to the traditional Unix discretionary access model and has been part of the Linux kernel since version 2.6.36, with development supported by Canonical since 2009.
Because AppArmor is widely deployed in enterprise systems, cloud platforms, containers, and IoT environments, the issue potentially affects more than 12.6 million Linux systems.
Researchers developed proof-of-concept exploits but did not release them publicly to reduce risk.
No CVE identifiers have been assigned yet, but security teams are strongly advised to patch the Linux kernel immediately, as updates are the only reliable way to mitigate the risk.
The CrackArmor flaws expose a confused-deputy issue that lets unprivileged users manipulate AppArmor security profiles, bypass namespace limits, and run code in the Linux kernel. Attackers could escalate privileges to root through interactions with tools like Sudo and Postfix, trigger denial-of-service attacks, and bypass Kernel Address Space Layout Randomization protections. The findings highlight serious weaknesses in default security assumptions and could impact system…
