Security researchers from Qualys have disclosed nine vulnerabilities in the Linux kernel’s AppArmor module, collectively tracked as CrackArmor.
The flaws have reportedly existed since 2017 and could allow unprivileged users to bypass protections, escalate privileges to root, execute code in the kernel, or trigger denial-of-service conditions.
Because AppArmor is widely used across enterprise servers, cloud platforms, container environments, and IoT deployments, researchers estimate the vulnerabilities could potentially affect more than 12.6 million Linux systems.
AppArmor Plays A Key Role In Linux Security
AppArmor is a mandatory access control system that protects operating systems and applications by enforcing strict behavior policies.
It supplements the traditional Unix discretionary access model and helps block both known and unknown threats, including zero-day attacks.
The security module has been included in the Linux kernel since version 2.6.36, with development supported by Canonical since 2009.
AppArmor is enabled by default in several major Linux distributions, including Ubuntu, Debian, and SUSE.
CrackArmor Exploits A Confused-Deputy Flaw
According to Qualys researchers, the CrackArmor vulnerabilities expose a confused-deputy design flaw that allows unprivileged users to manipulate AppArmor security profiles.
Attackers can exploit pseudo-files such as /sys/kernel/security/apparmor/.load and .replace to trick privileged processes into modifying security policies.
Researchers said attackers could leverage trusted tools such as Sudo and Postfix to bypass namespace restrictions and execute arbitrary code within the kernel.
“This CrackArmor advisory exposes a confused-deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel,” the report states.
Potential Impact Includes Root Access And System Disruption
Successful exploitation could allow attackers to escalate privileges to root, bypass Kernel Address Space Layout Randomization protections, and collapse container isolation boundaries.
The vulnerabilities could also trigger denial-of-service attacks by forcing kernel panics or system reboots.
Researchers noted that unprivileged users could load “deny-all” security profiles or remove nested subprofiles to disrupt system operations.
Given the prevalence of AppArmor in enterprise Linux deployments and container environments such as Kubernetes, the vulnerabilities could impact system confidentiality, integrity, and availability.
Researchers Withhold Exploits As Patching Is Recommended
Qualys researchers developed proof-of-concept exploits during testing but have not released them publicly to reduce the risk of exploitation.
No CVE identifiers have yet been assigned to the vulnerabilities.
Security teams are being advised to patch affected Linux kernels immediately, as updates remain the only reliable mitigation.
Organizations are also encouraged to scan systems using Qualys QIDs, monitor the /sys/kernel/security/apparmor/ directory for unauthorized profile changes, and review vendor advisories for affected versions and available fixes.
Researchers emphasized that rapid patching is critical because interim mitigations do not provide the same level of protection as vendor-provided kernel updates.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.