Critical AppArmor “CrackArmor” Flaws Allow Unprivileged Users to Gain Root on Millions of Linux Systems
What Happened — Qualys disclosed nine “CrackArmor” vulnerabilities in the Linux kernel’s AppArmor module that let an unprivileged user bypass mandatory‑access controls, execute code in kernel space, and obtain root privileges. Proof‑of‑concept exploits exist, but no CVEs have been assigned yet.
Why It Matters for TPRM —
- The flaws affect over 12 million Linux deployments, including cloud, container, and IoT environments that many third‑party vendors run.
- Successful exploitation grants full system control, undermining confidentiality, integrity, and availability of downstream services.
- Patch cycles vary across providers; unpatched systems can become a supply‑chain foothold for attackers.
Who Is Affected — Enterprises using Linux‑based workloads (cloud platforms, Kubernetes, SaaS applications), IoT device manufacturers, and any MSP/MSSP that hosts Linux containers.
Recommended Actions —
- Verify that all Linux hosts have received the latest kernel patches that address the CrackArmor bugs.
- Review and harden AppArmor profiles; consider temporary disabling if patches cannot be applied immediately.
- Re‑assess container isolation controls and monitor for abnormal privilege‑escalation activity.
Technical Notes — The vulnerabilities stem from a confused‑deputy issue in AppArmor profile handling, enabling namespace bypass, KASLR defeat, and kernel‑panic DoS. Affected distributions include Ubuntu, Debian, and SUSE where AppArmor is enabled by default. Source: https://securityaffairs.com/189487/hacking/unprivileged-users-could-exploit-apparmor-bugs-to-gain-root-access.html