TOCTOU in apport
Description
TOCTOU Race Condition vulnerability in apport allows a local attacker to escalate privileges and execute arbitrary code. An attacker may exit the crashed process and exploit PID recycling to spawn a root process with the same PID as the crashed process, which can then be used to escalate privileges. Fixed in 2.20.1-0ubuntu2.24, 2.20.9 versions prior to 2.20.9-0ubuntu7.16 and 2.20.11 versions prior to 2.20.11-0ubuntu27.6. Was ZDI-CAN-11234.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A TOCTOU race in apport lets a local attacker reuse a victim PID to replace crash files, achieving privilege escalation to root.
Vulnerability
CVE-2020-15702 is a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the apport package, which is automatically installed on Ubuntu systems to generate crash reports. Affected versions are apport prior to 2.20.1-0ubuntu2.24, 2.20.9 before 2.20.9-0ubuntu7.16, and 2.20.11 before 2.20.11-0ubuntu27.6. The flaw resides in the lack of proper locking when performing operations on a crash file, allowing a race window between a check and a use of that file.[1][2][3]
Exploitation
An attacker must first be able to execute low-privileged code on the target system. The attacker monitors for a process crash handled by apport and races with the crash-handling logic. Upon detecting a crash, the attacker exits their own process and then exploits PID recycling: when a new root-level process (such as a cron job) starts with the same PID as the crashed process, the attacker can replace the crash report file with a symbolic link to an arbitrary file. In the race window, apport follows the link and performs privileged operations (e.g., writing or setting ownership) on the attacker-chosen file. This sequence leverages the inherent race condition due to the absence of proper locking.[1][3]
Impact
Successful exploitation allows the attacker to escalate privileges to root and execute arbitrary code. The attacker can gain complete control over the target system, including reading, modifying, or deleting any file and executing commands with root privileges. Both confidentiality and integrity are compromised, and availability may also be affected.[1][3]
Mitigation
Canonical released fixed versions of apport on 4 August 2020: 2.20.1-0ubuntu2.24, 2.20.9-0ubuntu7.16, and 2.20.11-0ubuntu27.6. All users should update their apport package to the patched version via the standard Ubuntu package manager (apt update && apt upgrade apport). No known workaround exists; applying the patch is the only mitigation. This vulnerability was reported through the ZDI program (ZDI-20-979) and is listed as a separate CVE from the related issues fixed in the same advisory.[1][2][3]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=2.0, <2.20.1-0ubuntu2.24, >=2.20.9, <2.20.9-0ubuntu7.16, >=2.20.11, <2.20.11-0ubuntu27.6
- Range: 2.20.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- usn.ubuntu.com/4449-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4449-2/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4449-1mitrex_refsource_CONFIRM
- www.zerodayinitiative.com/advisories/ZDI-20-979/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.