AppArmor is supposed to be one of the deeper layers of Linux security. It sits inside the kernel, enforces access control policies, and restricts what any given process can do even after it is already running. The pitch is: even if something breaks through, AppArmor contains the damage.
On March 12, 2026, Qualys published nine vulnerabilities in AppArmor itself. They named them CrackArmor. The flaws had been sitting there since 2017.
What AppArmor Actually Does#
Before getting into the bugs, it is worth being clear on what AppArmor is and why it matters.
AppArmor is a Linux Security Module that enforces mandatory access control. Unlike filesystem permissions, which are set by the file owner, AppArmor policies are defined by the administrator and enforced by the kernel regardless of what the process wants to do. A web server process confined by an AppArmor profile cannot read /etc/shadow even if it is running as root, cannot open a network socket it was not explicitly allowed, and cannot exec arbitrary binaries.
On Ubuntu, AppArmor is enabled by default. You did not have to opt in. It is running on your server right now, with profiles active for a number of system services.
The idea is that AppArmor is a last line. Even if an attacker exploits your app, they land inside the AppArmor box and cannot get further.
The CrackArmor Flaws#
Qualys found nine vulnerabilities in the AppArmor kernel code, all requiring only an unprivileged local user account. No root. No special group membership. Just a shell.
The impacts break into three categories:
Local privilege escalation to root. The most serious outcome. By chaining AppArmor bugs with interactions through standard system tools like sudo and postfix, an unprivileged user could reach root on the machine. This is the kind of bug that turns a limited foothold into full control.
Denial of service via stack exhaustion. AppArmor handles nested policy namespaces recursively. An attacker could craft a deeply nested policy structure to blow the stack and crash the kernel. No special privilege required — anyone with a local account could take down the machine.
KASLR bypass via out-of-bounds reads. KASLR hides where kernel code and data live in memory, making exploitation harder. An out-of-bounds read in AppArmor’s pattern matching engine could leak kernel addresses and make other attacks more reliable.
The specifics: missing bounds checks in the DFA verifier, a double-free in namespace cleanup, race conditions in policy data lifecycle, and an unprivileged user being able to trigger privileged policy management operations. Nine separate issues, all in the AppArmor policy loading and parsing code.
None of these are exotic. Out-of-bounds reads and double-frees are the kind of bugs that turn up in security audits of C code that handles untrusted input. AppArmor parses policy files from userspace. That is the attack surface, and it had not been audited thoroughly for nine years.
The Scale#
AppArmor ships enabled by default on Ubuntu. Qualys estimated over 12.6 million enterprise Linux instances actively running it at the time of disclosure.
That is not 12.6 million servers any attacker on the internet can reach. The attack requires a local user account. But local access is not as rare as it sounds. A compromised web app that achieves code execution, a misconfigured multi-tenant system, a service account a former employee still has access to — all of these count as local access.
The exploitability depends on context. On a single-user VPS where you are the only person with a shell, the practical risk is lower. On a shared system, it is much more serious. But the point of CrackArmor is that the very thing meant to contain a breach after local access was achieved was itself the path to escalate from that access.
The Fix#
The kernel fix shipped on March 6, six days before Qualys published the details publicly. If you updated your kernel before March 12, you were patched before the vulnerability was public knowledge.
On Ubuntu 24.04, that means kernel version 6.8.0-106-generic or later.
uname -rIf it shows something older:
apt update && apt upgrade
rebootThe reboot is not optional. A kernel update does not take effect until you boot into the new kernel. Running apt upgrade and skipping the reboot leaves you on the old kernel regardless of what apt reports.
What This Changes About the Maintenance Routine#
Most people treat kernel updates as optional. The kernel rarely breaks anything, updates are infrequent, and a reboot means downtime. So it slides. Weeks, sometimes months.
CrackArmor is a good example of why that is the wrong call for security updates specifically.
The kernel is not just the thing that boots. It is the security boundary between processes, between users, between the OS and the hardware. Vulnerabilities in it cannot be mitigated with a config change or a WAF rule. The only fix is the patched kernel, and the only way to run it is to reboot.
A practical approach: check for kernel updates weekly, apply them, schedule the reboot. On a low-traffic personal site, a 60-second reboot at off-peak hours is not a meaningful event. Treating it as one leads to running a known-vulnerable kernel for months.
Is This Right for You?#
If you run a single-tenant VPS where you are the only one with shell access, apply the kernel update and you are done. The practical risk from a local privilege escalation on a server only you can log into is real but bounded.
If you run anything with multiple users, shared hosting, or services that execute code on behalf of untrusted input, this is higher priority. Local privilege escalation in that context means any foothold becomes full root.
Either way, the fix is the same: update the kernel, reboot, verify you are on the patched version. The only bad outcome is knowing about it and not applying it.
References#
- CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation to Root ↗ — Qualys, March 12, 2026
- AppArmor vulnerability fixes available ↗ — Ubuntu Blog
- Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation ↗ — The Hacker News
- Ubuntu’s AppArmor Hit By Several Security Issues ↗ — Phoronix