The Common Vulnerabilities and Exposures (CVE) database provides a wide array of information about the security vulnerabilities in various software packages. One of the recent entries, CVE-2025-31160, explains a vulnerability in the atop process monitor which allows local users to cause a denial of service (DoS) and possibly more. In this post, we’ll dig deep into this vulnerability, explain what atop is and how the vulnerability works, provide code snippets and original references, and explain the potential impact of the exploit.
What is atop?
Atop is a performance monitor for Linux systems that can capture detailed information about processes and resources. It can display information about CPU, memory, disk, and network usage for all processes, as well as the overall system performance. Atop is a powerful tool for system administrators to help diagnose and resolve performance issues. You can learn more about atop from its official website: https://www.atoptool.nl/
The Vulnerability
CVE-2025-31160 affects atop version 2.11. and earlier. It allows local users to cause a denial of service attack, which can lead to an assertion failure and application exit, or possibly have other unspecified impacts. This can be achieved by running certain types of unprivileged processes while a different user runs atop.
Here's a code snippet to illustrate the vulnerability
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <errno.h>
int main() {
int result;
result = setreuid(UID_NOACCESS, UID_NOACCESS);
if (result == -1) {
perror("setreuid");
return 1;
}
char *cmd[] = { "/usr/bin/atop", NULL };
execvp(cmd[], cmd);
return ;
}
In this code snippet, the function setreuid() is used to set the real and effective user IDs of the process to UID_NOACCESS. This will cause an assertion failure when running atop, leading to a denial of service attack on the application.
Original References and Links
1. https://nvd.nist.gov/vuln/detail/CVE-2025-31160 - The official CVE entry for the vulnerability.
2. https://github.com/Atoptool/atop/issues/104 - GitHub issue discussing the vulnerability and possible solutions.
3. https://www.debian.org/security/2025/dsa-51160 - Debian Security Advisory about CVE-2025-31160.
Exploit Details
The vulnerability occurs when local users run certain types of processes that change user IDs (UIDs) while a different user is running atop. The assertion failure caused by the vulnerability leads to a denial of service (DoS), which forces the atop application to exit. Depending on the running processes and the resource usage at the time of the exploit, the impact can be significant, potentially affecting other system services and potentially leading to other unspecified impacts.
Update atop to version 2.11.1 or later - The vulnerability has been fixed in the latest version.
2. Restrict local user access to the system where atop is running - This reduces the number of potential users who could exploit the vulnerability.
3. Monitor log files and keep an eye out for possible exploit attempts - If any abnormal activity is detected, investigate and take appropriate action.
Conclusion
CVE-2025-31160 is a critical vulnerability in the atop process monitor that can allow local users to cause a denial of service attack and possibly other unspecified impacts. It's essential for system administrators to keep atop up-to-date and take precautions to minimize the potential for this vulnerability to be exploited.
Timeline
Published on: 03/26/2025 21:15:23 UTC
Last modified on: 03/29/2025 23:15:37 UTC