A set of newly identified vulnerabilities in the Linux security module AppArmor could allow attackers to gain root access, bypass system protections and trigger service outages across millions of systems.
The issues, collectively named ‘CrackArmor,’ were discovered by the Qualys Threat Research Unit (TRU). The researchers identified nine flaws that have existed in the Linux kernel since version 4.11 in 2017.
Because AppArmor is enabled by default in widely used Linux distributions, including Ubuntu, Debian and SUSE, the exposure is extensive.
Qualys estimates that more than 12.6 million enterprise Linux systems currently run with AppArmor active. These systems are commonly used across enterprise infrastructure, cloud platforms, Kubernetes environments, internet of things (IoT) devices and edge deployments.
The vulnerabilities stem from a “confused deputy” flaw that allows an unprivileged local user to manipulate AppArmor security profiles. By exploiting pseudo-files within the kernel, attackers could bypass user-namespace restrictions and execute arbitrary code.
Potential Disruption Across Enterprise Infrastructure
Attackers do not need administrative credentials to exploit the vulnerabilities. According to Qualys, any scenario that grants an attacker a standard local account could be enough to weaponize the system.
Read more on Linux security vulnerabilities: New Linux Vulnerabilities Expose Password Hashes via Core Dumps
Researchers said the flaws could also be used to block access to critical services or crash a system entirely.
Potential impacts include:
-
Local privilege escalation (LPE) to root
-
Kernel crashes triggered by stack exhaustion
-
Denial-of-service (DoS) attacks through manipulated security profiles
-
Container isolation bypass
-
Possible exposure of kernel memory through out-of-bounds reads
An attacker could, for example, load a “deny-all” profile against services such as SSH, preventing legitimate remote connections.
Deeply nested profile removals may also exhaust the kernel stack, potentially triggering a kernel panic and forced reboot.
Patch Deployment Urged
Qualys researchers said they developed proof-of-concept (POC) exploits demonstrating the vulnerabilities, but have not publicly released the exploit code to limit risk to unpatched systems.
“These discoveries highlight critical gaps in how we rely on default security assumptions,” Dilip Bachwani, Qualys CTO, said.
“CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials.”
No CVE identifiers have yet been assigned, as vulnerabilities affecting the upstream Linux kernel typically receive CVEs only after fixes are incorporated into stable releases. Qualys nevertheless urged organizations to treat the Ubuntu advisory as urgent.
Security teams are advised to apply vendor kernel updates immediately, scan their environments for vulnerable systems and monitor AppArmor profile directories for suspicious modifications.
