Apport: Race condition in Canonical Apport allowing sensitive information leak via PID-reuse (CVE-2025-5054) #shorts
Summary
CVE-2025-5054 is a local information-disclosure vulnerability in Canonical's Apport crash reporter (up to and including version 2.32.0). A race condition in the crash-handling logic can cause sensitive data from host processes to be forwarded into containerized environments, potentially leaking private information to untrusted namespaces.
Product details
Apport is Ubuntu's default crash-reporting framework, used to capture and process core dumps on system crashes. Versions up to 2.32.0 are affected. It is shipped by Canonical in all supported Ubuntu releases and typically runs with elevated privileges to inspect crashing processes and collect diagnostic data.
Vulnerability type summary
This is a race condition vulnerability (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization). By exploiting the window between Apport’s forwarding check and its consistency verification, a local attacker can trick Apport into sending core dump data to a newly spawned container process, resulting in unauthorized disclosure of sensitive memory contents.
Details of the vulnerability
When Apport handles a crash, it first calls _check_global_pid_and_forward to detect container residency, then runs consistency_checks to confirm the crashing PID hasn't been reaped and replaced. An attacker can crash a process and immediately spawn a container using the same PID (PID reuse), causing Apport to forward the core dump into the container before performing consistency_checks. The fix swaps the call order—running consistency_checks first—and restricts forwarding to cases where the kernel provides a pidfd or the crashing process is unprivileged (dump mode 1), mitigating the race window.
Conclusion
All Ubuntu users running Apport should upgrade to the patched release (2.32.1 or later) as soon as possible. Administrators should apply Canonical’s security updates and audit local crash-reporting configurations. Restricting access to crash dump utilities and keeping systems up to date remains the best defense against race-based information leaks.
Watch the full video on YouTube: CVE-2025-5054
Remediation and exploitation details
This chain involves the following actors
- Local Attacker: Unprivileged user on the host who can trigger and race process crashes
- Apport Service: Crash‐handling daemon on Ubuntu that forwards core dumps
This following systems are involved
- Canonical Apport (Collects and forwards program crash reports): Processes crashes and may forward core dumps to container contexts
- Container Environment (Isolated runtime namespace where forwarded dumps appear): Receives leaked core dumps containing sensitive host data
Attack entry point
- Crash‐handling path in Apport: The routine `_check_global_pid_and_forward` is invoked before verifying that the crashing process has not been replaced
Remediation actions
Exploitation actions
Send an invalid memory access signal or cause division by zero
- Use `kill -SEGV <pid>` or load a small C program that dereferences NULL
Start a new container in rapid succession so it reuses the freed process identifier
- Run `docker run --rm -d ubuntu sleep 1000` timed to reuse the crashed PID
Race condition allows detection of the PID inside a container without consistency checks
- Apport reads `/proc/<pid>/ns/pid` and sees the container namespace
Write core file into container filesystem or stdout
- Apport copies `/var/lib/apport/coredump.<pid>` into container root
Use debugging tools to parse memory regions for credentials or keys
- Run `gdb --core=core.<pid>` inside container and search for private keys
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://ubuntu.com/security/notices/USN-7545-1
- https://ubuntu.com/security/CVE-2025-5054
- https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt
- [2025-05-30] Qualys TRU discovers two local information-disclosure vulnerabilities in Apport and systemd-coredump.
- [2025-06-03] New Linux vulnerabilities CVE-2025-5054 and CVE-2025-4598 allow local attackers to access sensitive information.
- [2025-06-02] Qualys details critical Linux crash reporting vulnerabilities exposing password hashes.