Apport treats the container PID as the global PID when /proc/<global_pid>/ is missing
Description
Apport does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers. The is_same_ns() function returns True when /proc// does not exist in order to indicate that the crash should be handled in the global namespace rather than inside of a container. However, the portion of the data/apport code that decides whether or not to forward a crash to a container does not always replace sys.argv[1] with the value stored in the host_pid variable when /proc// does not exist which results in the container pid being used in the global namespace. This flaw affects versions 2.20.8-0ubuntu4 through 2.20.9-0ubuntu7, 2.20.7-0ubuntu3.7, 2.20.7-0ubuntu3.8, 2.20.1-0ubuntu2.15 through 2.20.1-0ubuntu2.17, and 2.14.1-0ubuntu3.28.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apport crash handling flaw in PID namespace allows local users to cause denial of service, escalate privileges to root, or escape containers.
Vulnerability
Apport, the automatic crash report handling system on Ubuntu, contains a flaw in its PID namespace processing. The is_same_ns() function returns True when /proc// does not exist, intending to indicate that the crash should be handled in the global namespace rather than inside a container. However, the code that decides whether to forward a crash to a container does not always replace sys.argv[1] with the value stored in the host_pid variable when /proc// is missing, causing the container PID to be used in the global namespace [1][2]. This affects versions 2.20.8-0ubuntu4 through 2.20.9-0ubuntu7, 2.20.7-0ubuntu3.7, 2.20.7-0ubuntu3.8, 2.20.1-0ubuntu2.15 through 2.20.1-0ubuntu2.17, and 2.14.1-0ubuntu3.28.
Exploitation
A local attacker must have the ability to trigger a crash or core dump from within a container. By exploiting the missing /proc/ entry, the attacker can cause Apport to use the container PID in the global namespace. This allows the attacker to create certain files as root in the global namespace, leveraging the crash handling mechanism [1][2]. No additional authentication beyond local access is required.
Impact
Successful exploitation enables the attacker to create files as root in the global namespace. This can lead to a denial of service via resource exhaustion, escalation of privileges to root, or escape from containers into the host system [1][2]. The attack compromises the confidentiality, integrity, and availability of the affected system.
Mitigation
Ubuntu released security updates to address this vulnerability. The fix is included in USN-3664-1 (for Ubuntu 17.10, 18.04 LTS, and others) published on 30 May 2018, and USN-3664-2 (for Ubuntu 14.04 LTS) published on 4 June 2018 [1][2]. Users should update the apport package to the corrected versions specified in the respective advisories. No workarounds are documented; the only mitigation is to apply the updates.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=2.20.8-0ubuntu4,<=2.20.9-0ubuntu7+ 1 more
- (no CPE)range: >=2.20.8-0ubuntu4,<=2.20.9-0ubuntu7
- (no CPE)range: 2.20.8-0ubuntu4 to 2.20.9-0ubuntu7, 2.20.7-0ubuntu3.7 to 2.20.7-0ubuntu3.8, 2.20.1-0ubuntu2.15 to 2.20.1-0ubuntu2.17, 2.14.1-0ubuntu3.28
Package: https://pypi.org/project/apport
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- usn.ubuntu.com/3664-2/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/usn/usn-3664-1mitrevendor-advisoryx_refsource_UBUNTU
News mentions
0No linked articles in our index yet.