Critical Linux Core Dump Vulnerabilities Expose Password Hashes

The Qualys Threat Research Unit (TRU) has discovered two critical local information-disclosure vulnerabilities affecting core dump handlers in major Linux distributions. Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that exploit the crash reporting mechanisms in Apport (Ubuntu) and systemd-coredump (Red Hat Enterprise Linux and Fedora).

CVE-2025-5054 affects Ubuntu’s core-dump handler, Apport, in all releases from 16.04 to 24.04. This race condition vulnerability in Canonical’s apport package up to and including version 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces.

CVE-2025-4598 targets systemd-coredump, the default core-dump handler on Red Hat Enterprise Linux 9 and 10, as well as Fedora 40 and 41. This race condition allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

Severity of the Issue

Both vulnerabilities carry a CVSS score of 4.7, rated as Medium severity. However, the potential impact extends far beyond the numerical rating. The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at high risk, as attackers could extract sensitive data, like passwords, encryption keys, or customer information from core dumps.

The exploitation of these vulnerabilities could have severe consequences including confidentiality breach where attackers could access sensitive data, including passwords, encryption keys, or customer information stored in core dumps, privilege escalation where extracted password hashes could be cracked, enabling attackers to escalate privileges or move laterally across a network, and operational and regulatory risks where organizations face potential operational downtime, reputational damage, and non-compliance with data protection regulations like GDPR.

How It Is Exploited

The exploitation relies on sophisticated race condition attacks targeting SUID (Set User ID) programs. SUID is a special file permission that allows a user to execute a program with the privileges of its owner, rather than their own permissions.

Qualys TRU has developed proof-of-concept (PoC) code for both vulnerabilities, demonstrating how a local attacker can exploit the coredump of a crashed unix_chkpwd process, which is used to verify the validity of a user’s password, to obtain password hashes from the /etc/shadow file.

For CVE-2025-5054 (Apport): A local attacker can exploit this by inducing a crash in a privileged SUID process and quickly replacing it with another process using the same process ID (PID) within a mount and PID namespace. This tricks Apport into forwarding the core dump of the original privileged process, which may contain sensitive data, to the namespace controlled by the attacker.

For CVE-2025-4598 (systemd-coredump): An attacker can simply crash a SUID process such as unix_chkpwd, SIGKILL and replace it with a non-SUID process before its /proc/pid/auxv is analyzed by systemd-coredump, and therefore gain read access to the core file of the crashed SUID process, and hence to the contents of /etc/shadow. To widen the window of the race condition, attackers pass an argv[0] of 128K characters to the SUID process, which slows down the analysis of its /proc/pid/cmdline by systemd-coredump and gives enough time to replace the crashed SUID process.

Who is at Risk

The scope of affected systems is extensive:

• Ubuntu Systems: All releases from 16.04 to 24.04 are vulnerable to CVE-2025-5054 via Apport, affecting millions of systems using Apport up to version 2.32.0.
• Red Hat Enterprise Linux: Versions 9 and 10 are affected by CVE-2025-4598 via systemd-coredump.
• Fedora: Versions 40 and 41 are impacted by CVE-2025-4598.
• Other Distributions: Amazon Linux and Gentoo have issued advisories, indicating potential exposure depending on configuration. Debian is not affected by CVE-2025-4598 by default, as systemd-coredump is not installed unless explicitly added.

Organizations running these Linux distributions in enterprise environments, cloud infrastructures, and server deployments face the highest risk, particularly those with multiple user accounts or systems that process sensitive data.

 Remediation Strategies

Immediate Mitigations

Disable SUID Core Dumps: Red Hat recommends users run the command “echo 0 > /proc/sys/fs/suid_dumpable” as a root user to disable the ability of a system to generate a core dump for SUID binaries. Setting /proc/sys/fs/suid_dumpable to 0 disables core dumps for all SUID programs, prevents all SUID programs and root daemons that drop privileges from being analyzed in case of a crash, but it can act as a temporary fix if the vulnerable core-dump handler itself cannot be patched immediately.

Official Patches

• Ubuntu/Canonical: Acknowledges CVE-2025-5054 and has released Apport version 2.33.0 to address the issue. The company emphasizes that the real-world impact of the PoC exploit is limited due to its complexity.
• Red Hat: Rates CVE-2025-4598 as Moderate and recommends disabling core dumps for SUID programs as a temporary mitigation while patches are applied.
• Debian: Not vulnerable to CVE-2025-4598 by default but advises users who have installed systemd-coredump to apply updates.

 Best Practices

1. Apply Security Updates: Immediately update to patched versions of Apport and systemd-coredump when available
2. Monitor Core Dump Activity: Implement logging and monitoring for unusual core dump generation
3. Limit Local Access: Restrict local user accounts and implement principle of least privilege
4. Regular Security Audits: Conduct periodic reviews of SUID programs and file permissions
5. Network Segmentation: Isolate critical systems to limit lateral movement potential

 How CinchOps Can Help Secure Your Business

At CinchOps, we understand that vulnerabilities like CVE-2025-5054 and CVE-2025-4598 represent exactly the kind of complex, technical threats that can overwhelm small and medium-sized businesses. With over three decades of experience managing IT infrastructure, we’ve seen how seemingly obscure vulnerabilities can become major security incidents when left unaddressed.

Our comprehensive security approach ensures your Linux systems remain protected against these and emerging threats:

• Automated Patch Management: We maintain current security updates across all your Linux distributions, ensuring critical patches for vulnerabilities like these core dump flaws are applied promptly and systematically
• Vulnerability Assessment: Our security experts conduct regular scans and assessments to identify potentially vulnerable systems before they can be exploited
• System Hardening: We implement security best practices including proper SUID program auditing, core dump security configurations, and access controls that limit exposure to race condition attacks
• Security Training: We educate your staff on security best practices and help them recognize potential threats before they become incidents
• Compliance Support: Our security measures help ensure your organization meets regulatory requirements while maintaining operational efficiency

Don’t let complex Linux vulnerabilities leave your business exposed. CinchOps provides the expertise and proactive security management that transforms these technical challenges into manageable, monitored components of your IT infrastructure. Contact us today to learn how our managed security services can protect your organization from the evolving threat environment.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Critical Flaw Exposes Linux Security Blind Spot: io_uring Bypasses Detection
For Additional Information on this topic:
Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump

FREE CYBERSECURITY ASSESSMENT