On March 12, 2026 Debian published security advisory DSA-6162-1 for the Linux kernel in its stable branch, trixie (Debian 13). The update closes the set of AppArmor flaws that Qualys named CrackArmor, along with several other kernel vulnerabilities. The fixed version is 6.12.74-2.
What CrackArmor is
CrackArmor is the name Qualys’ Threat Research Unit gave to a group of vulnerabilities in the kernel’s AppArmor module. AppArmor is the mandatory access control (MAC) system that Debian, Ubuntu and SUSE use to confine processes and restrict what each program is allowed to touch. The bug class is confused deputy: a privileged part of the kernel performs actions on behalf of a process without properly checking whether that process was entitled to request them.
The flaws have been present since kernel 4.11, released in April 2017. That means any system running AppArmor on a kernel newer than that date has potentially been exposed for years.
Who is affected and how serious it is
DSA-6162-1 bundles several CVEs, including CVE-2026-23233 (the advisory’s primary reference), CVE-2025-71238, CVE-2026-23100, CVE-2026-23221, CVE-2026-23234, CVE-2026-23235, CVE-2026-23236, CVE-2026-23237 and CVE-2026-23238.
The impact Debian describes is plain: an unprivileged local user can, under certain conditions, escalate to root, crash the system (denial of service), or leak kernel memory. There is no remote component here; an attacker needs prior local access to the machine. Even so, on shared servers, multi-tenant hosting, or container setups where isolation leans on the kernel, a local escalation becomes a real problem, because it breaks the very barrier you rely on to keep tenants apart.
These flaws are not specific to Debian. They affect any distribution that ships AppArmor, which is why Ubuntu and others released fixes alongside Debian.
How to protect yourself
The mitigation is straightforward: update the kernel package to 6.12.74-2 or later on trixie. The usual steps:
sudo apt update
sudo apt upgradeAfter installing the new kernel you have to reboot so the system boots into the patched version. Until you reboot you keep running the old, vulnerable kernel, even though the package on disk is already up to date.
If you manage machines you cannot reboot right away, prioritize the ones with multiple local users or running containers, since those carry the most exposure to a privilege escalation. Check the running version with uname -r and compare it against the fixed one.
Debian also released DSA-6163-1 for the oldstable branch Bookworm (Debian 12), which covers these same flaws together with other fixes. If you have Bookworm machines, review that advisory too.
For the distribution page and the rest of the advisories, see Debian.