Nine critical vulnerabilities in Linux AppArmor put over 12M enterprise systems at risk

Qualys researchers have disclosed nine vulnerabilities in Linux AppArmor, collectively dubbed 'CrackArmor', affecting over 12.6 million enterprise Linux instances running Ubuntu, Debian, and SUSE. The flaws, present since Linux kernel 4.11 (2017), allow unprivileged local attackers to escalate privileges to root, break container isolation, and crash systems via a 'confused deputy' design flaw. A full exploit chain was demonstrated on a default Ubuntu Server with Postfix, forcing Sudo into a fail-open state to achieve arbitrary root command execution. Four additional kernel-level bugs were found, including one enabling kernel memory reads and two providing independent root access paths. No CVEs have been assigned yet, but patches were published in Linus Torvalds' upstream kernel tree on March 12 following an eight-month coordinated disclosure with Ubuntu, Canonical, Debian, SUSE, and Sudo maintainers. Immediate kernel patching is strongly recommended.