Back to Intelligence

CVE-2026-23268: Linux Kernel AppArmor LSM Flaws — Container Escape & Privilege Escalation Guide

SA
Security Arsenal Team
May 13, 2026
5 min read

Qualys has disclosed a set of critical vulnerabilities (USN-8266-1) impacting the Linux kernel's AppArmor Linux Security Module (LSM). These flaws are not theoretical; they allow an unprivileged local attacker to subvert the security posture of a host by manipulating AppArmor profiles.

The implications are severe. In environments relying on AppArmor for containment—specifically containerized workloads (LXC, Docker) or strict multi-tenant Linux systems—these vulnerabilities facilitate Denial of Service (DoS), Kernel Memory Disclosure, Privilege Escalation, and Container Escape. If an attacker gains a low-privilege shell (e.g., via a web vulnerability), they can leverage these bugs to effectively disable security controls and gain root access.

Additionally, this update addresses flaws in GPU drivers, Network drivers, Sun RPC, and the XFRM subsystem, broadening the attack surface for local exploitation. Defenders must prioritize patching to prevent lateral movement and full system compromise.

Technical Analysis

Affected Products & Versions

  • Platform: Ubuntu Linux (USN-8266-1)
  • Component: Linux Kernel, specifically the AppArmor LSM subsystem.
  • CVEs:
    • CVE-2026-23268, CVE-2026-23269, CVE-2026-23403, CVE-2026-23404, CVE-2026-23405, CVE-2026-23410, CVE-2026-23411: AppArmor LSM flaws allowing profile manipulation.
    • CVE-2024-27388, CVE-2024-46816, CVE-2024-49938: Flaws in GPU, Network drivers, Sun RPC, and XFRM.

Vulnerability Mechanics

The core issue resides in how the AppArmor LSM handles references and permissions for security profiles. The vulnerabilities allow an unprivileged user to:

  1. Load arbitrary profiles: Injecting a malicious or "complain" mode profile to disable enforcement.
  2. Replace existing profiles: Swapping a restrictive profile (e.g., for a container) with a permissive one.
  3. Remove profiles: Deleting security boundaries entirely.

This manipulation violates the standard security model where only root or CAP_MAC_ADMIN capability should modify profiles. Once the profile is replaced or removed, standard Linux security controls are bypassed, allowing the attacker to escape containers or access kernel memory.

Exploitation Status

  • Qualys Discovery: Verified by Qualys research team.
  • Exploitation: Technical details allow for reliable local privilege escalation. While active widespread exploitation in-the-wild is not confirmed at publication, the complexity is low, making reverse engineering of patches likely.

Detection & Response

Detecting these specific kernel exploits is challenging as they occur within kernel memory. However, we can detect the post-exploitation behavior: the unauthorized manipulation of AppArmor profiles.

SIGMA Rules

YAML
---
title: AppArmor Profile Replacement or Removal
id: 89a2b3c4-1d5e-4f6a-9b7c-8d6e5f4a3b2c
status: experimental
description: Detects attempts to replace or remove AppArmor profiles, which may indicate exploitation of CVE-2026-23268 or similar LSM flaws.
references:
  - https://ubuntu.com/security/notices/USN-8266-1
author: Security Arsenal
date: 2026/01/15
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: 'SYSCALL'
    syscall|contains:
      - 'apparmor'
    exe|endswith:
      - '/apparmor_parser'
      - '/aa-disable'
      - '/aa-remove'
  filter_legit_root:
    uid: '0'
  condition: selection and not filter_legit_root
falsepositives:
  - Legitimate administration by non-root users with sudo (if sudo logs UID as 0)
level: high
---
title: AppArmor Profile Load via AppArmor Parser
id: 10c2d3e4-5f6a-4b7c-8d9e-0f1a2b3c4d5e
status: experimental
description: Detects the execution of apparmor_parser which is used to load profiles. Monitor for unexpected executions outside of maintenance windows.
references:
  - https://ubuntu.com/security/notices/USN-8266-1
author: Security Arsenal
date: 2026/01/15
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith:
      - '/apparmor_parser'
    CommandLine|contains:
      - '-r'
      - '--replace'
  condition: selection
falsepositives:
  - System administration tasks, software updates
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for AppArmor profile modifications or suspicious kernel events
Syslog
| where ProcessName in ("apparmor_parser", "kernel") or SyslogMessage has "apparmor"
| where SyslogMessage has_any ("profile", "DENIED", "REPLACE", "REMOVE")
| project TimeGenerated, HostName, ProcessName, SyslogMessage, SeverityLevel
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for AppArmor configuration files and recent executions
SELECT 
  FullPath, 
  Mtime, 
  Size, 
  Mode
FROM glob(globs='/etc/apparmor.d/*',
         accessor='auto')
WHERE Mtime > now() - 1h  
-- Look for recently modified AppArmor profiles

SELECT 
  Pid, 
  Name, 
  CommandLine, 
  Username, 
  Exe
FROM pslist()
WHERE Name =~ 'apparmor_parser'
  OR Exe =~ 'aa-'

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation Script for USN-8266-1: Linux Kernel AppArmor Vulnerabilities
# Verify installed kernel version and apply patches

echo "[+] Checking current kernel version..."
uname -r

echo "[+] Checking for available security updates..."
# Ubuntu/Debian specific update command
sudo apt-get update

# Check if security update for kernel is pending
USN_CHECK=$(apt-cache policy linux-image-generic | grep -i "candidate" | grep -v "installed")

if [ -n "$USN_CHECK" ]; then
    echo "[!] Kernel updates available. Applying patches..."
    sudo apt-get install -y linux-image-generic
    echo "[+] Update complete. A system reboot is REQUIRED."
else
    echo "[+] No pending kernel updates found. Verify via 'ubuntu-security-status'."
fi

# Check AppArmor status
if command -v aa-status &> /dev/null; then
    echo "[+] AppArmor Status:"
    sudo aa-status
else
    echo "[-] AppArmor tools not found."
fi

Remediation

  1. Patch Immediately: Apply the updates listed in USN-8266-1. This is the only effective mitigation for these kernel-level memory corruption flaws.
  2. Verify Patches: After updating, verify the running kernel version matches the patched version provided in the Ubuntu security notice.
  3. Reboot: Kernel updates require a system reboot to load the fixed code. Do not defer this reboot.
  4. Container Hosts: Prioritize patching container hosts (Docker, LXC, Kubernetes nodes). An attacker escaping a container compromises the underlying host and potentially the entire cluster.
  5. Audit Logs: Review logs for signs of previous AppArmor tampering or unexpected privilege escalations prior to patching.

Official Vendor Advisory: Ubuntu USN-8266-1

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurelinux-kernelapparmorcve-2026-23268

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
CVE-2026-23268: Linux Kernel AppArmor LSM Flaws — Container Escape & Privilege Escalation Guide | Security Arsenal | Security Arsenal