Login Sign Up

CVE-2021-3899

7.8 HIGH

📋 TL;DR

CVE-2021-3899 is a race condition vulnerability in Apport's 'replaced executable' detection mechanism that allows local attackers to execute arbitrary code with root privileges. This affects Ubuntu systems with Apport installed and configured to handle crash reports. Attackers need local access and specific configuration conditions to exploit this.

💻 Affected Systems

Products:
  • Apport
Versions: Apport versions prior to 2.20.11-0ubuntu82.1
Operating Systems: Ubuntu
Default Config Vulnerable: ✅ No
Notes: Requires Apport to be enabled and configured to handle crash reports; not all Ubuntu installations have this enabled by default.

📦 What is this software?

Apport by Canonical

View all CVEs affecting Apport →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise allowing complete system takeover, data exfiltration, persistence establishment, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation from a standard user to root, enabling installation of backdoors, credential theft, and further system compromise.

🟢

If Mitigated

No impact if Apport is disabled or patched; limited impact if proper access controls and monitoring are in place.

🌐 Internet-Facing: LOW - Requires local access and specific configuration, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal attackers with local access could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and race condition timing; proof-of-concept exists in bug reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apport 2.20.11-0ubuntu82.1 and later

Vendor Advisory: https://ubuntu.com/security/notices/USN-5427-1

Restart Required: No

Instructions:

1. Update package list: sudo apt update 2. Upgrade Apport: sudo apt install --only-upgrade apport 3. Verify version: dpkg -l apport

🔧 Temporary Workarounds

Disable Apport

linux

Completely disable Apport crash reporting service

sudo systemctl stop apport
sudo systemctl disable apport
sudo sed -i 's/enabled=1/enabled=0/' /etc/default/apport

🧯 If You Can't Patch

  • Restrict local user access to systems with Apport enabled
  • Implement strict file permission controls and monitor for suspicious process execution

🔍 How to Verify

Check if Vulnerable:

Check Apport version: dpkg -l apport | grep ^ii

Check Version:

dpkg -l apport | grep ^ii | awk '{print $3}'

Verify Fix Applied:

Verify installed version is 2.20.11-0ubuntu82.1 or higher: dpkg -l apport

📡 Detection & Monitoring

Log Indicators:

  • Unusual Apport process activity
  • Suspicious crash report generation
  • Unexpected privilege escalation attempts

Network Indicators:

  • None - local exploitation only

SIEM Query:

process_name:"apport" AND (parent_process_name NOT IN ["systemd", "init"]) OR process_name:"apport" AND command_line:"/tmp/*"

📊 Metadata

CVE ID: CVE-2021-3899
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-367
Published: June 3, 2024
Last Updated: August 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3899, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)