Apport race condition in crash report permissions
Description
Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A TOCTOU race condition in Apport's crash report handling allows local privilege escalation via symlink attack when fs.protected_symlinks is disabled.
Vulnerability
A time-of-check time-of-use (TOCTOU) race condition exists in Apport's crash report creation logic. Between the os.open and os.chown calls in data/apport (lines 707–713), an attacker can replace the newly created crash report file with a symlink. This is exploitable because the Apport cron script (/etc/cron.daily/apport) deletes zero-size crash files, creating a window where the attacker can create a symlink with the same name. The vulnerability affects Apport versions prior to 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8, and 2.20.11-0ubuntu22. The attack requires the kernel parameter fs.protected_symlinks to be disabled (default on some older systems) [1][3].
Exploitation
An attacker must have local access and the ability to trigger a crash of a setuid binary (or any process where the real UID differs from the effective UID). The attacker first causes a crash report to be created with size 0. The cron script then removes that zero-size file. During the race window between the os.open and os.chown calls in Apport, the attacker creates a symlink with the same name as the deleted file, pointing to an arbitrary target file. The attacker can also delay Apport by replacing the user settings file (~/.config/apport/settings) with a FIFO, extending the race window. When Apport calls os.chown, it changes the ownership of the symlink target to root, effectively granting the attacker control over that file [1].
Impact
Successful exploitation allows a local attacker to change the ownership of any file on the system to root. This can be leveraged to read arbitrary files (e.g., via a symlink attack on a file the attacker can then read) or to escalate privileges to root. The attacker gains the ability to modify system files or access sensitive data, leading to full system compromise [1][3].
Mitigation
Apport has been patched in the following versions: 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8, and 2.20.11-0ubuntu22. Users should update their Apport package to the latest available version. Additionally, ensuring that fs.protected_symlinks is enabled (default on modern Linux kernels) mitigates the attack vector. No other workarounds are available if the system cannot be updated [1][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.20.1-0ubuntu2.23, <2.20.9-0ubuntu7.14, <2.20.11-0ubuntu8.8, <2.20.11-0ubuntu22
- Range: 2.20.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- usn.ubuntu.com/4315-2/mitrevendor-advisoryx_refsource_UBUNTU
- bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933mitrex_refsource_CONFIRM
- usn.ubuntu.com/4315-1/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.