Qualys discovered several vulnerabilities in the AppArmor code of the Linux kernel. These are being referred to as CrackArmor, while CVE IDs have not been assigned yet. All of the vulnerabilities require unprivileged local user access. The impact of these vulnerabilities ranges from denial of service to kernel memory information leak, removing security controls, and local privilege escalation to root user. Ubuntu releases are affected differently and this is detailed in the corresponding sections below.

Linux kernel fixes for the supported Ubuntu releases are being made available as security updates by the Canonical Kernel Team. Furthermore, our security team has provided userspace mitigations in the form of security updates, for all affected Ubuntu releases. Our recommendation is that you apply both userspace mitigations and Linux kernel security updates.

AppArmor is a Mandatory Access Control (MAC) Linux Security Module that provides an additional layer of security on Ubuntu systems and supplements the traditional Discretionary Access Control (DAC) model. In addition to being enabled by default on Ubuntu releases, AppArmor is also used by other Linux distributions.

Vulnerability summary

This blog provides a summary of the reported security vulnerabilities in the AppArmor Linux kernel code and the sudo application, as well as unsafe behaviour in the su utility which facilitates exploitation of the AppArmor kernel vulnerabilities. The following table summarizes the issues:

The Vulnerability Knowledge Base article contains a detailed description of the vulnerabilities, as well as of the mitigations provided via security updates.

Impact scenarios/assessment

Deployments without container workloads

Exploitation on hosts not running container workloads requires the cooperation of a privileged application (e.g. a setuid binary). The presence of a container orchestration system without running containers does not by itself create an exploitation opportunity. The Qualys team have identified the behaviour of the su utility as enabling exploitation. This can only be triggered by unprivileged users that have a password set – unprivileged system users cannot invoke su successfully without having access to an account’s password and hence cannot trigger the vulnerabilities. In the absence of such a cooperating privileged application, the vulnerabilities can only be triggered by a privileged user (root).

An unrelated vulnerability has been identified by Qualys in sudo which can be triggered through the email notifications feature. This vulnerability enables local privilege escalation when chained with the AppArmor vulnerabilities and the su privileged application. sudo-rs, the Rust-rewrite of sudo available by default in Ubuntu Questing Quokka (25.10) and later, is not affected because of the design decision to not send email notifications.

The Ubuntu Security Team has prepared security updates for both su (in the util-linux package) and sudo. The su security patch should be considered a mitigation and we strongly recommend that you additionally apply the Linux kernel security updates as soon as possible.

Container deployments

In container deployments that may execute potentially-malicious attacker-controlled container images, the AppArmor Linux kernel vulnerabilities can be exploited without the need for a cooperating privileged userspace application. This could theoretically enable container escape scenarios, although this has not been practically demonstrated at the time of writing.

The Ubuntu Security Team strongly recommends applying the Linux kernel security updates as the only available remediation.

The following sections explain how different Ubuntu releases are impacted, and associated fixes or mitigations.

Linux kernel security updates

The Linux kernel security updates address all of the AppArmor vulnerabilities identified by Qualys.

All supported Ubuntu releases are affected by the fundamental “confused deputy” vulnerability. The combination of vulnerabilities that enable local privilege escalation and container escape scenarios is not present in Trusty Tahr (14.04 LTS) or Xenial Xerus (16.04 LTS).

How to check if you are impacted

On your system, run the following command to get the version of the currently running kernel and compare the listed version to the corresponding table below.

uname -r

The list of installed kernel packages can be obtained using the following command:

dpkg -l 'linux-image*' | grep ^ii

You can compare the version of the specific kernel variant that you have installed against the per-release version table available in the Vulnerability Knowledge Base article.

How to address

Please note that the Linux kernel images are currently in the process of being made available in the Ubuntu Archive. When they are released, we recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible and the Linux kernel is installed via a meta package, its update can be targeted directly:

sudo apt update
dpkg-query -W -f '${source:Package}\t${binary:Package}\n' | awk '$1 ~ "^linux-meta" { print $2 }' | xargs sudo apt install --only-upgrade

Once the security updates for the Linux kernel are installed, a reboot is required:

sudo reboot

The unattended-upgrades feature is enabled by default for Ubuntu Xenial Xerus (16.04 LTS) onwards. This service:  

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available, but a reboot will still be required.

sudo security updates

The sudo package security updates address the unrelated sudo vulnerability that can be chained with the AppArmor vulnerability to facilitate local privilege escalation.

How to check if you are impacted

To get the version of the sudo package installed, run the following command:

dpkg -l 'sudo*' | grep ^ii

The following table lists the fixed versions of the sudo package in all supported Ubuntu releases:

How to address

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible, the sudo userspace mitigations can be installed directly and does not require a reboot to apply:

sudo apt update
sudo apt install sudo

The unattended-upgrades feature is enabled by default for Ubuntu Xenial Xerus (16.04 LTS) onwards. This service:  

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available.

util-linux security updates

The util-linux package security updates harden the su utility to avoid it being used to exploit the AppArmor vulnerabilities.

How to check if you are impacted

To get the version of the util-linux package installed, run the following command:

dpkg -l util-linux

The following table lists the fixed versions of the sudo package in all supported Ubuntu releases:

How to address

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible, the util-linux userspace mitigations can be installed directly and does not require a reboot to apply:

sudo apt update
sudo apt install util-linux

The unattended-upgrades feature is enabled by default for Ubuntu Xenial Xerus (16.04 LTS) onwards. This service:  

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available.

Acknowledgements

We would like to thank Qualys for their excellent reporting and for engaging with the AppArmor team, the Canonical Kernel Team, the Ubuntu Security Team, the Linux Kernel Security Team, and other Linux distributions in coordinated vulnerability disclosure.

References

Ubuntu Vulnerability Knowledge Base Article
Qualys CrackArmor security advisory