CrackArmor Vulnerability Information

CrackArmor refers to a set of confused deputy vulnerabilities in AppArmor that enables an unprivileged local user to bypass kernel protections, escalate privileges to root, and break container isolation. AppArmor (Application Armor) is a Linux security feature that helps you restrict what programs can do on a system, even if those programs are compromised. These vulnerabilities exists since a long time and affect over 12.6 million systems globally.

VMDR displays vulnerability details using the Threat, Impact, Solution, Vendor Reference, and Change Log fields.

For additional technical background, see the Qualys Threat Research Unit advisory: CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation to Root

CrackArmor consists of multiple vulnerabilities in the Linux kernel AppArmor implementation that an unprivileged local user can exploited. These flaws allow the user to abuse trusted system components to bypass AppArmor enforcement and manipulate security policies. Because AppArmor is enabled by default on several major Linux distributions, these issues weaken mandatory access control protections you rely on for system confinement.

If exploited, these vulnerabilities can lead to local privilege escalation to root, unauthorized changes to AppArmor profiles, bypass of container or user namespace isolation, and denial of service conditions such as kernel crashes. These impacts can compromise system confidentiality, integrity, and availability, especially in shared or containerized environments.

Solution

You must apply vendor provided Linux kernel security updates that address the AppArmor vulnerabilities collectively referred to as CrackArmor. These issues exist in kernel code and cannot be fully mitigated through configuration changes or user space controls.

Prioritize systems where AppArmor is enabled by default, including Ubuntu, Debian, and SUSE based distributions. After applying updates, reboot systems to activate the patched kernel and monitor the AppArmor policy interface (/sys/kernel/security/apparmor/) for unexpected profile changes.

You should review Linux distribution vendor advisories for fixed kernel versions and patch availability. The CrackArmor vulnerabilities are associated with multiple CVEs, including CVE 2026 23268 and CVE 2026 23269, with additional identifiers assigned as upstream fixes are released.