Qualys discovered two vulnerabilities in various Linux distributions which allow a local attacker with permission to create user namespaces to leak core dumps for processes of suid executables. These affect both apport, the Ubuntu core dump handler (CVE-2025-5054), and systemd-coredump, the core dump handler in Red Hat Enterprise Linux, Fedora and other Linux distributions (CVE-2025-4598). CVE-2025-4598 does not affect Ubuntu releases.

The vulnerabilities have a CVSS score of 4.7 (MEDIUM), requiring local access and high attack complexity. The impact is restricted to the confidentiality of the memory space of invoked suid executables. The exploit demonstrated by Qualys can leak hashed user passwords and, as such, has limited real-world impact.

Canonical’s security team has released updates for the apport package for all affected Ubuntu releases. This package is installed by default in all Ubuntu Server images and Ubuntu Desktop installations. The update remediates CVE-2025-5054. Information on the affected versions can be found in the CVE page linked above. If you have any of these installed, our recommendation is to update as soon as possible.

How the exploit works

Qualys discovered that, when analyzing application crashes, apport attempts to detect if the crashing process was running inside a container before performing consistency checks on it. This means that if a local attacker manages to induce a crash in a privileged process and quickly replaces it with another one with the same process ID that resides inside a mount and pid namespace, apport will attempt to forward the core dump (which might contain sensitive information belonging to the original, privileged process) into the namespace.

In order to successfully carry out the exploit, an attacker must have permissions to create user, mount and pid namespaces with full capabilities.

Affected releases

How to check if you are impacted

On your system, run the following command and compare the listed version to the table above.

apt list --installed | grep "^apport"

How to address

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible, the affected component can be targeted:

# on focal and newer:

sudo apt update && sudo apt install --only-upgrade apport python3-apport

# on xenial and bionic:

sudo apt update && sudo apt install --only-upgrade apport python3-apport python-apport

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:  

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available.

Mitigation

The strongest protection is to apply the security updates. The following mitigations have also been explored. If security updates cannot be applied, you should only apply the following steps as a last resort and revert the configuration once updates are applied.

The ability to obtain core dumps of suid executable processes can be completely disabled by setting the fs.suid_dumpable sysctl to 0. While this completely neutralizes the vulnerability, it also restricts the ability to investigate crashes for all processes which change privileges upon execution..

echo "fs.suid_dumpable = 0" | sudo tee /etc/sysctl.d/10-cve-2025-5054.conf

sudo sysctl -p /etc/sysctl.d/10-cve-2025-5054.conf

Acknowledgements

We would like to thank Qualys for their excellent reporting and for inviting the Ubuntu Security Team to coordinate this issue.

References

https://www.qualys.com/apport-systemd-info-disclosure-vulnerabilities-discovered-by-qualys-tru

https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt

https://ubuntu.com/security/notices/USN-7545-1

https://ubuntu.com/security/CVE-2025-5054