Race Condition in Canonical Apport
Description
Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces.
When handling a crash, the function _check_global_pid_and_forward, which detects if the crashing process resided in a container, was being called before consistency_checks, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. consistency_checks is now being called before _check_global_pid_and_forward. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in apport ≤2.32.0 allows a local attacker to leak sensitive information by exploiting PID reuse across namespaces.
Vulnerability
A race condition exists in Canonical apport (Ubuntu's crash handler) up to and including version 2.32.0. The function _check_global_pid_and_forward, which detects if the crashing process resided in a container, was called before consistency_checks, which attempts to detect if the crashing process had been replaced. This ordering allows an attacker to crash a process and quickly replace it with a containerized process before apport analyzes /proc/pid/, causing the core dump to be forwarded to the container. [1][2]
Exploitation
A local attacker must crash a SUID program (e.g., unix_chkpwd) and, within a small race window, replace the crashed process with a containerized process using PID reuse and namespaces. The attacker does not require special privileges beyond local access. A proof of concept for Ubuntu 24.04 is provided in the Qualys advisory. [1]
Impact
Successful exploitation allows the attacker to read the core dump of the crashed SUID program, which may contain sensitive information such as password hashes from /etc/shadow. This results in local information disclosure. [1]
Mitigation
The vulnerability is fixed in apport version 2.32.1, released on 29 May 2025. The fix reorders the calls so that consistency_checks runs before _check_global_pid_and_forward. Additionally, crashes are only forwarded to containers if the kernel provided a pidfd or if the crashing process was unprivileged (dump mode == 1). Users should update to apport 2.32.1 or later via Ubuntu security update USN-7545-1. [2][3]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.32.0
- Range: 2.20.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- ubuntu.com/security/notices/USN-7545-1mitrevendor-advisory
- www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txtmitrethird-party-advisory
- ubuntu.com/security/CVE-2025-5054mitrevdb-entry
News mentions
0No linked articles in our index yet.