AppArmor is the safety net that confines processes on Ubuntu and many other distributions: it decides which files, capabilities and resources each program can touch. On 22 April 2026, Canonical shipped USN-8201-1 to close a set of flaws that tore through that net. Qualys, who found them, named the cluster CrackArmor.
What actually happens
The bug lives in the Linux Security Module (LSM) that implements AppArmor inside the kernel. Qualys found that an unprivileged local user could load, replace and remove arbitrary AppArmor profiles. That is exactly what the confinement layer is supposed to prevent.
The headline issue, CVE-2026-23268, is a classic confused deputy problem. Any unprivileged application can open certain privileged control files under securityfs (usually mounted at /sys/kernel/security/) for writing. The permission check only runs when data is actually written, not when the descriptor is opened. If a privileged application can be tricked into writing the right format to that already-open descriptor, an attacker can load, change or remove existing AppArmor profiles by borrowing the privileged process’s rights.
The notice carries 11 patches for nine vulnerabilities, with IDs ranging from CVE-2026-23268 to CVE-2026-23411 (CVE-2026-23269, 23403, 23404, 23405, 23406, 23407, 23408, 23409, 23410 and 23411).
Who is affected and how badly
The common requirement is unprivileged local access. This isn’t a remote attacker knocking the machine over from the outside; it’s someone who already has an account or has managed to run code on the system. From there, depending on the specific flaw, they could:
- Trigger denial of service (a kernel crash or hang).
- Read sensitive kernel memory.
- Disable security controls by loading or removing profiles.
- Escalate privileges to root.
- In some cases, break out of a container.
For multi-user boxes, shared hosting, or containers that lean on AppArmor as a barrier, that last point is the serious one: confinement people assumed was solid turns out to be bypassable.
USN-8201-1 affects Ubuntu 18.04 LTS on the linux-azure-5.4 kernel. The fix ships in version 5.4.0-1161.167~18.04.1 (package linux-image-5.4.0-1161-azure, plus the linux-image-azure / linux-image-azure-5.4 meta packages at 5.4.0.1161.167~18.04.1).
How to protect yourself
Update the kernel and reboot. On Ubuntu:
sudo apt update && sudo apt upgrade
sudo rebootThe reboot matters because the patch is in the kernel: until you boot the new one, you keep running the vulnerable AppArmor module. If you run a fleet on Azure with Ubuntu 18.04, start with the multi-user machines and anything running untrusted containers.
Keep in mind that Ubuntu 18.04 LTS is in Expanded Security Maintenance (ESM). If you still depend on it, make sure Ubuntu Pro is active so you keep receiving fixes like this one. The healthier medium-term move is to migrate to a release on standard support, such as a newer LTS branch of Ubuntu.
Source
- Ubuntu Security Notice: USN-8201-1
- Primary CVE detail: CVE-2026-23268 on NVD