Critical CrackArmor Vulnerabilities Expose 12.6 Million Linux Servers to Complete Root Takeover

Nine serious security holes have been found in AppArmor, which is a widely used mandatory access control framework for Linux This article explores kernel security apparmor. . These weaknesses, known as "CrackArmor," let local users who don't have permission to do so get root access, break container isolation, and make kernel operations crash.

More than 12.6 million business Linux systems around the world are affected by this problem. The vulnerabilities in CrackArmor come from Linux kernel version 4.11, which came out in 2017. They have been undetected in production environments for almost nine years. The Qualys Threat Research Unit (TRU) found the flaws and made them public on March 12, 2026.

They are in AppArmor's implementation as a Linux Security Module (LSM), not in its security model itself.

Use Qualys QID 386714 to scan all Linux endpoints for AppArmor versions that are affected. Give priority to assets that are accessible from the internet. Check /sys/kernel/security/apparmor/ for any unexpected changes to profiles, which could mean that someone is actively exploiting them.

Use Qualys CyberSecurity Asset Management queries to list all Ubuntu, Debian, and SUSE assets with AppArmor installed in both on-premises and cloud environments. Qualys has confirmed that the CrackArmor vulnerabilities do not affect its own products or platforms. Follow Qualys on Twitter, LinkedIn, and X for daily cybersecurity updates.