CVE-2025-5054
📋 TL;DR
A race condition vulnerability in Canonical's apport crash reporting tool allows local attackers to leak sensitive information from core dumps. By exploiting PID reuse in container environments, attackers can trick apport into forwarding crash data to containers where it can be accessed. This affects Ubuntu systems with apport versions up to 2.32.0.
💻 Affected Systems
- Canonical apport
📦 What is this software?
Apport by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Sensitive memory contents from privileged processes could be leaked to containerized attackers, potentially exposing credentials, encryption keys, or other confidential data.
Likely Case
Local attackers with container access could obtain limited sensitive information from processes that crash and are quickly replaced.
If Mitigated
With proper patching, only unprivileged process crashes or those with kernel-provided pidfds are forwarded to containers, significantly reducing information leakage risk.
🎯 Exploit Status
Exploitation requires local access and ability to create/manipulate containers. The race condition window is narrow but exploitable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.32.1 and later
Vendor Advisory: https://ubuntu.com/security/notices/USN-7545-1
Restart Required: No
Instructions:
1. Update apport package: sudo apt update && sudo apt install apport
2. Verify version: dpkg -l apport | grep ^ii
3. Ensure version is 2.32.1 or higher
🔧 Temporary Workarounds
Disable apport crash reporting
linuxCompletely disable apport to prevent crash handling and information leakage
sudo systemctl stop apport
sudo systemctl disable apport
echo "enabled=0" | sudo tee /etc/default/apport
Restrict container creation
linuxLimit ability to create containers to reduce attack surface
sudo chmod 750 /usr/bin/docker
sudo chmod 750 /usr/bin/podman
sudo usermod -aG docker trusted_users_only
🧯 If You Can't Patch
- Disable apport service entirely to prevent crash handling
- Implement strict access controls to prevent unauthorized users from creating containers
🔍 How to Verify
Check if Vulnerable:
Check apport version: dpkg -l apport | grep ^ii | awk '{print $3}'Check Version:
dpkg -l apport | grep ^ii | awk '{print $3}'Verify Fix Applied:
Verify apport version is 2.32.1 or higher: dpkg -l apport | grep ^ii📡 Detection & Monitoring
Log Indicators:
- Unusual apport crash reports from containerized processes
- Multiple rapid crash reports for same PID
- Apport logs showing container forwarding errors
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="apport" AND ("container" OR "namespace") AND event_type="crash_report"