AppArmor 'CrackArmor' flaw
Researchers disclosed nine 'CrackArmor' flaws in Linux AppArmor that can allow local users to escalate to root and bypass container isolation — potentially exposing 12.6 million enterprise systems, including trading hosts reported. The vulnerabilities affect default AppArmor deployments in Ubuntu/Debian/SUSE and are particularly relevant where kernel-level performance tweaks or container isolation are in use reported.
Qualys Threat Research Unit publicly disclosed "CrackArmor" during a coordinated advisory on March 12–13, 2026, after tracing the AppArmor code defects back to Linux kernel v4.11 (2017). blog.qualys.com Qualys’ asset analysis quantified over 12.6 million enterprise Linux instances with AppArmor enabled by default, and Canonical’s Ubuntu knowledge-base lists Ubuntu, Debian and SUSE as affected distributions with security updates being prepared. blog.qualys.com Linux vendors published upstream kernel fixes in March 2026 (patch sets merged into recent stable trees and vendor kernels such as patched 6.8.x/6.6.x/6.1.x/5.15.x series), and vendors warned that applying kernel updates requires a system reboot to activate the AppArmor fixes. linuxcompatible.org Qualys’ technical advisory demonstrates a practical attack chain: an unprivileged local user can load/replace AppArmor profiles to enforce a "deny all" against services like sshd or remove protections for daemons such as cupsd/rsyslogd, and the advisory recommends applying both kernel and userspace mitigations and monitoring /sys/kernel/security/apparmor for unexpected profile changes. cdn2.qualys.com
