CrackArmor: AppArmor Flaws Enable Local Privilege Escalation to Root

CrackArmor: AppArmor Flaws Enable Local Privilege Escalation to Root

Screenshot 2024-09-25 at 9.12.26 AM

By Avital Harel

Mar 13, 2026

Executive Summary

CrackArmor is a group of vulnerabilities affecting the Linux kernel AppArmor security module that allow local attackers to interfere with how AppArmor security profiles are managed and enforced. By abusing weaknesses in policy management and kernel profile parsing logic, an attacker with limited system access may weaken AppArmor protections or escalate privileges to root. Because AppArmor is widely deployed across major Linux distributions, organizations should apply the March 2026 kernel patches immediately.

What Is CrackArmor?

Linux environments rely on kernel security modules to enforce isolation between applications, containers, and system processes. One of the most widely deployed mechanisms is AppArmor, a Mandatory Access Control (MAC) framework used by major Linux distributions, including Ubuntu, Debian, and SUSE.

Researchers recently disclosed a set of vulnerabilities collectively dubbed CrackArmor. These issues expose weaknesses in AppArmor that can allow an unprivileged local attacker to manipulate AppArmor policy handling, weaken enforcement, and, in some cases, escalate privileges to root, bypassing one of Linux’s core security boundaries.

Because AppArmor is enabled by default in many Linux distributions and is commonly relied on in cloud and containerized environments, these vulnerabilities meaningfully expand the attack surface across enterprise infrastructure.

Is CrackArmor Actively Exploited?

At the time of writing, there is no public evidence of active in-the-wild exploitation of the CrackArmor vulnerabilities. Exploitation requires local access to a vulnerable system.

Kernel patches addressing the issues have been released through coordinated vendor updates.

Which Linux Systems Are Affected?

Vulnerable versions:

Linux kernel 4.11 and later with AppArmor enabled, prior to the March 2026 security patches.

Fixed versions:

Linux kernels with the AppArmor CrackArmor patches released in March 2026, including patched versions of 6.8.x, 6.6.x LTS, 6.1.x LTS, and 5.15.x LTS distributed by Linux vendors.

How to Check if Your System Is Vulnerable

A system may be affected if it is running a vulnerable kernel version and AppArmor is enabled.

Administrators can quickly check this using:

uname -r

to view the running kernel version.

To verify that AppArmor is active:

apparmor_status

or

cat /sys/module/apparmor/parameters/enabled

If the output returns Y, AppArmor is enabled.

Systems running vulnerable kernel versions with AppArmor enabled should be updated to the latest vendor-provided kernel packages.

What Is the Root Cause of CrackArmor?

CrackArmor is not a single vulnerability but a collection of flaws in AppArmor, centered on a confused-deputy issue in policy management, along with additional kernel memory-safety bugs that can be triggered by malicious profile operations.

A confused-deputy vulnerability occurs when a privileged component is tricked into performing an action on behalf of a lower-privileged user without properly validating the request.

In this case, AppArmor exposes profile management interfaces under:

/sys/kernel/security/apparmor/

These pseudo-files are responsible for loading, replacing, and removing AppArmor profiles. Under certain conditions, an unprivileged user can exploit interactions with privileged programs, such as su, to indirectly trigger these operations.

This effectively allows an attacker to manipulate AppArmor policy from an unprivileged context, including:

  • Removing profiles that protect critical services
  • Loading restrictive profiles to disrupt system functionality
  • Replacing profiles in ways that weaken security boundaries

Beyond policy manipulation, researchers also uncovered several vulnerabilities in the kernel-side logic responsible for parsing and managing AppArmor profiles, including:

  • Uncontrolled recursion leading to kernel stack exhaustion
  • Out-of-bounds memory read
  • Use-after-free
  • Double-free

These issues significantly increase the impact. Instead of merely weakening security policy enforcement, attackers may leverage crafted profile operations to trigger denial-of-service conditions, disclose kernel memory, or escalate privileges to full root access.

How Does CrackArmor Exploitation Work?

Exploitation may follow several possible paths depending on system configuration – it typically begins with local access and then abuses weaknesses in AppArmor policy management to influence privileged behavior.

1. Gain Local Access

The attacker first obtains local code execution as an unprivileged user. This could originate from a compromised account, a vulnerable application, a container workload, or another vulnerability that provides limited system access.

2. Manipulate AppArmor Policy

With local access, the attacker interacts with the AppArmor policy management interface to influence how security profiles are loaded, replaced, or removed. These operations are normally handled by administrative tools, but in affected systems they may be indirectly triggered through privileged utilities.

For example, output from a privileged process can be redirected into the AppArmor policy interface:

su someuser 2>/sys/kernel/security/apparmor/.remove

If the operation succeeds, the targeted AppArmor profile may be removed. In practice, this capability can allow an attacker to:

  • Remove profiles protecting existing services
  • Load new policy definitions
  • Replace existing profiles with weaker restrictions

3. Trigger Privileged Behavior

After influencing AppArmor policy, attackers may modify the restrictions applied to privileged programs in order to alter their behavior.

One demonstrated approach involves replacing the policy applied to a privileged utility and then invoking that program under controlled conditions. For example:

env -i MAIL_CONFIG=/tmp/postfix /usr/bin/sudo whatever

Under certain conditions, changes to the policy applied to sudo can interfere with how it transitions privileges, potentially causing a failure path where a helper program executes while still running with elevated privileges.

Another possible path involves interacting with AppArmor profile parsing logic. Crafted policy definitions may trigger kernel-side issues such as memory-safety errors.

4. Achieve Privilege Escalation or System Impact

Depending on the system configuration and the exploitation path taken, several outcomes are possible. For example, if an attacker replaces the AppArmor profile associated with a system service with a restrictive policy, the service may begin to fail when handling normal requests. A simple check such as:

ssh localhost

may suddenly fail if the SSH daemon is running under a modified or restrictive AppArmor profile.

Other potential outcomes include:

  • Escalating privileges to root
  • Reading sensitive kernel memory through disclosure bugs
  • Triggering system crashes through kernel faults
  • Disabling security protections for important services
  • Weakening container or namespace isolation boundaries

In practice, this turns a weakness in a security enforcement layer into a pathway that allows attackers to bypass the protections it is meant to provide.

Indicators of Compromise

Administrators should investigate the following indicators:

Unexpected AppArmor Policy Operations

Look for unusual AppArmor profile management events in dmesg, audit logs, or runtime telemetry, especially operations involving:

profile_load

profile_replace

profile_remove

Example log entries may include:

apparmor="STATUS" operation="profile_remove" info="not policy admin" error=-13

apparmor="STATUS" operation="profile_remove" info="profile does not exist" error=-2

Profile operations originating from unexpected processes such as echo or su should be treated as suspicious.

Access to AppArmor Policy Management Interfaces

Unexpected interaction with the following files may indicate attempted policy manipulation:

/sys/kernel/security/apparmor/.load

/sys/kernel/security/apparmor/.replace

/sys/kernel/security/apparmor/.remove

These interfaces are highly sensitive and should rarely be written to outside controlled administrative workflows.

Suspicious Use of Privileged Utilities

Some exploitation paths rely on chaining AppArmor policy manipulation through privileged helper programs, particularly su.

Investigate unexpected usage patterns such as:

  • su -P
  • su --pty
  • su invoked from untrusted processes
  • su combined with output redirection into AppArmor policy interfaces

These patterns may indicate attempts to trigger privileged operations indirectly.


Abnormal sudo Privilege Transition Failures

Unexpected sudo failures related to privilege transitions may also be relevant, including errors such as:

setresuid(...): Operation not permitted

unable to open /etc/sudoers: Operation not permitted

error initializing audit plugin sudoers_audit

These may indicate attempts to create fail-open conditions through policy manipulation.

Mitigation and Patching

Security updates addressing CrackArmor have been released by Linux vendors.

Organizations should take the following steps:

  1. Apply kernel updates – Install vendor-provided kernel updates that include the March 2026 AppArmor fixes.
  2. Reboot patched systems – Kernel updates require a system reboot to take effect.
  3. Review local execution exposure – Although exploitation requires local access, systems that allow shell access, container workloads, or multi-user environments may present additional risk.
  4. Monitor AppArmor policy activity – Unexpected policy load, replace, or removal operations should be investigated.
  5. Review privileged utility exposure – Because exploitation paths may involve tools such as sudo or su, organizations should review systems where these utilities coexist with exposed local execution paths.

Why Kernel Security Still Matters

Local privilege escalation vulnerabilities continue to play an important role in real-world attack chains. Attackers often begin with limited access and then attempt to escalate privileges to gain broader control over a system.

In cloud and containerized environments, this risk can be amplified. Access obtained within a workload or restricted shell may provide a path to host-level compromise if the underlying security boundaries can be weakened.

CrackArmor highlights how enforcement mechanisms themselves can become part of the attack surface when subtle implementation flaws are present.

Runtime Detection of CrackArmor Exploitation

Modern cloud environments require visibility not only into vulnerable packages and exposed services, but also into the runtime behaviors that indicate an attacker is trying to cross security boundaries.

How Upwind Helps

Upwind helps organizations detect and investigate behaviors associated with privilege escalation attempts by providing:

  • Detection of suspicious local activity associated with privilege escalation
  • Monitoring of abnormal process behavior involving AppArmor, namespace manipulation, and privileged utilities
  • Visibility into risky container and host configurations that weaken isolation
  • Correlation between vulnerability exposure and runtime signals

By combining runtime detection with infrastructure context, Upwind helps security teams identify exploitation activity earlier and reduce the window between initial access and full host compromise.

CrackArmor: AppArmor Flaws Enable Local Privilege Escalation to Root

Further Reading

hackerbot-claw Operation Review: Pull Requests as an Attack Vector in GitHub Actions
Research

hackerbot-claw Operation Review: Pull Requests as an Attack Vector in GitHub Actions

Amit Genkin headshot

By Amit Genkin

Mar 02, 2026

Executive Summary In February 2026, an autonomous bot named hackerbot-claw exploited insecure GitHub Actions configurations across multiple high-profile repositories. The campaign abused unsafe pull_request_target triggers, unsanitized inputs, dynamic shell execution, and overprivileged GITHUB_TOKEN permissions to achieve remote code execution (RCE) in GitHub-hosted runners. Across at least six repositories, the bot successfully executed arbitrary commands, and […]

Six CVEs in One Day: What’s Going On with n8n?
Research

Six CVEs in One Day: What’s Going On with n8n?

Amit Genkin headshot

By Amit Genkin

Feb 05, 2026

Executive Summary In a single day, six vulnerabilities were disclosed in n8n, spanning remote code execution, command injection, arbitrary file access, and cross-site scripting. All six issues affect authenticated functionality and repeatedly break isolation between workflows, configuration, and the underlying host. This is not random disclosure noise, it’s a clear signal of systemic security weaknesses […]

CVE-2026-1470: Remote Code Execution via n8n Expression Evaluation
Research

CVE-2026-1470: Remote Code Execution via n8n Expression Evaluation

Amit Genkin headshot

By Amit Genkin

Jan 27, 2026

Executive Summary CVE-2026-1470 is a critical remote code execution (RCE) vulnerability in the n8n workflow automation platform. The flaw stems from unsafe evaluation of user-supplied workflow expressions, allowing authenticated users to execute arbitrary JavaScript code within the n8n runtime and fully compromise the instance. Exploitation requires low privileges, no user interaction, and impacts all unpatched […]