Apport: Race condition in Canonical Apport allowing sensitive information leak via PID-reuse (CVE-2025-5054) #shorts

Summary

CVE-2025-5054 is a local information-disclosure vulnerability in Canonical's Apport crash reporter (up to and including version 2.32.0). A race condition in the crash-handling logic can cause sensitive data from host processes to be forwarded into containerized environments, potentially leaking private information to untrusted namespaces.

Product details

Apport is Ubuntu's default crash-reporting framework, used to capture and process core dumps on system crashes. Versions up to 2.32.0 are affected. It is shipped by Canonical in all supported Ubuntu releases and typically runs with elevated privileges to inspect crashing processes and collect diagnostic data.

Vulnerability type summary

This is a race condition vulnerability (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization). By exploiting the window between Apport’s forwarding check and its consistency verification, a local attacker can trick Apport into sending core dump data to a newly spawned container process, resulting in unauthorized disclosure of sensitive memory contents.

Details of the vulnerability

When Apport handles a crash, it first calls _check_global_pid_and_forward to detect container residency, then runs consistency_checks to confirm the crashing PID hasn't been reaped and replaced. An attacker can crash a process and immediately spawn a container using the same PID (PID reuse), causing Apport to forward the core dump into the container before performing consistency_checks. The fix swaps the call order—running consistency_checks first—and restricts forwarding to cases where the kernel provides a pidfd or the crashing process is unprivileged (dump mode 1), mitigating the race window.

Conclusion

All Ubuntu users running Apport should upgrade to the patched release (2.32.1 or later) as soon as possible. Administrators should apply Canonical’s security updates and audit local crash-reporting configurations. Restricting access to crash dump utilities and keeping systems up to date remains the best defense against race-based information leaks.

Watch the full video on YouTube: CVE-2025-5054

Remediation and exploitation details

This chain involves the following actors

  • Local Attacker: Unprivileged user on the host who can trigger and race process crashes
  • Apport Service: Crash‐handling daemon on Ubuntu that forwards core dumps

This following systems are involved

  • Canonical Apport (Collects and forwards program crash reports): Processes crashes and may forward core dumps to container contexts
  • Container Environment (Isolated runtime namespace where forwarded dumps appear): Receives leaked core dumps containing sensitive host data

Attack entry point

  • Crash‐handling path in Apport: The routine `_check_global_pid_and_forward` is invoked before verifying that the crashing process has not been replaced

Remediation actions

System Administrator or User
Upgrade Apport to version 2.32.1 or later
Canonical Apport
System Administrator
Apply the latest Canonical security updates
Ubuntu Operating System

Exploitation actions

Send an invalid memory access signal or cause division by zero

Local Attacker
Identify a long‐running unprivileged process and plan to trigger a crash
Target user process
Examples:
  • Use `kill -SEGV <pid>` or load a small C program that dereferences NULL

Start a new container in rapid succession so it reuses the freed process identifier

Local Attacker
Immediately launch or resume a container process that will inherit the same process identifier
Container Environment
Examples:
  • Run `docker run --rm -d ubuntu sleep 1000` timed to reuse the crashed PID

Race condition allows detection of the PID inside a container without consistency checks

Apport Service
Invoke `_check_global_pid_and_forward` before verifying process identity
Canonical Apport
Examples:
  • Apport reads `/proc/<pid>/ns/pid` and sees the container namespace

Write core file into container filesystem or stdout

Apport Service
Forward the core dump data to the container
Canonical Apport → Container Environment
Examples:
  • Apport copies `/var/lib/apport/coredump.<pid>` into container root

Use debugging tools to parse memory regions for credentials or keys

Local Attacker
Access the forwarded core dump inside the container and extract secrets
Container Environment
Examples:
  • Run `gdb --core=core.<pid>` inside container and search for private keys

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-5054
Description
Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).
Provider
canonical
CWE / problem types
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Affected Software Versions
Canonical:Apport:[{'lessThan': '2.20.1-0ubuntu2.30+esm5', 'status': 'affected', 'version': '2.20.1', 'versionType': 'dpkg'}, {'lessThan': '2.20.9-0ubuntu7.29+esm1', 'status': 'affected', 'version': '2.20.9', 'versionType': 'dpkg'}, {'lessThan': '2.20.11-0ubuntu27.28', 'status': 'affected', 'version': '2.20.11', 'versionType': 'dpkg'}, {'lessThan': '2.20.11-0ubuntu82.7', 'status': 'affected', 'version': '2.20.11', 'versionType': 'dpkg'}, {'lessThan': '2.28.1-0ubuntu3.6', 'status': 'affected', 'version': '2.28.1', 'versionType': 'dpkg'}, {'lessThan': '2.30.0-0ubuntu4.3', 'status': 'affected', 'version': '2.30.0', 'versionType': 'dpkg'}, {'lessThan': '2.32.0-0ubuntu5.1', 'status': 'affected', 'version': '2.32.0', 'versionType': 'dpkg'}, {'lessThan': '2.33.0-0ubuntu1', 'status': 'affected', 'version': '2.32.0', 'versionType': 'dpkg'}, {'lessThanOrEqual': '2.32.0', 'status': 'affected', 'version': '2.20', 'versionType': 'semver'}]
Date Published
2025-05-30T17:37:01.006Z
Last Updated
2025-06-09T16:23:28.514Z