CVE-2025-5054 and CVE-2025-4598: Linux Core Dump Bugs Leak Passwords

By /
linux

Two new security vulnerabilities in popular Linux distributions—Ubuntu, Red Hat Enterprise Linux (RHEL), and Fedora—could allow attackers to access sensitive information like password hashes. The flaws were found in tools used for handling system crashes, namely apport (used by Ubuntu) and systemd-coredump (used by RHEL and Fedora).

These vulnerabilities were reported by the Qualys Threat Research Unit (TRU) and are tracked as CVE-2025-5054 and CVE-2025-4598. Both are race condition bugs, meaning they rely on timing issues where two processes compete to perform actions in an unexpected sequence, potentially leading to a security breach.

What Are the Flaws?

The main tools affected—apport and systemd-coredump—are responsible for collecting and storing system data when a crash occurs, helping developers identify and fix bugs. However, these tools can also inadvertently store sensitive data from privileged processes.

CVE-2025-5054 (CVSS Score: 4.7)

  • Affects the Canonical apport package (up to version 2.32.0)

  • Allows local attackers to exploit a race condition using PID reuse and Linux namespaces

  • This can result in core dumps that expose private data from Set User ID (SUID) programs

CVE-2025-4598 (CVSS Score: 4.7)

  • Impacts systemd-coredump used in Fedora and RHEL

  • Lets an attacker crash a SUID process and replace it with a non-SUID process using the same Process ID (PID)

  • If timed correctly, the attacker can gain access to the core dump of the original privileged process, which may include sensitive files like /etc/shadow (used for storing password hashes)

What Is SUID and Why It Matters

SUID (Set User ID) is a permission setting on Linux files that allows a user to run a file with the permissions of the file’s owner. Many system programs use SUID to perform actions that regular users are not allowed to do. If an attacker can exploit a bug in a SUID program, they might gain unauthorized access to sensitive data or even escalate privileges.

How the Exploits Work

According to Octavio Galland from Canonical, apport checks whether a crashed process is running inside a container before analyzing it. If an attacker crashes a privileged process and quickly starts a new one using the same PID inside a separate namespace, apport might mistakenly forward the core dump of the original process to the attacker’s namespace.

In a similar way, systemd-coredump can be fooled into logging the crash details of a SUID process and storing them in a way that a local attacker can read, giving access to private data in memory.

Real-World Impact

Qualys developed proof-of-concept (PoC) code showing how these bugs could be used to extract password hashes from the /etc/shadow file by crashing a system process called unix_chkpwd, which verifies user passwords. This could help attackers in offline brute-force or dictionary attacks to crack passwords.

Canonical downplayed the danger, saying the exploit mostly affects the confidentiality of the memory of SUID processes and has limited real-world impact. Still, security experts warn that core dumps can hold a treasure trove of sensitive data, including encryption keys, login tokens, and user credentials.

digital

Risk Rating and Mitigation

Red Hat rated CVE-2025-4598 as “Moderate” due to the complexity required to successfully carry out the exploit. An attacker must win a race condition and already have local access to the system, which limits the risk.

To reduce exposure, Red Hat recommends running the following command as root:

echo 0 > /proc/sys/fs/suid_dumpable

This disables the ability of the system to create core dumps from SUID programs, thereby closing the attack vector. However, this also prevents developers from analyzing crashes of these programs, making it a temporary fix rather than a long-term solution.

Impact on Other Linux Distributions

Other Linux vendors like Amazon Linux, Debian, and Gentoo have released similar advisories. Notably, Debian is not affected by CVE-2025-4598 by default because it does not include a core dump handler unless systemd-coredump is installed manually. Also, Ubuntu is not impacted by CVE-2025-4598, though it is vulnerable to CVE-2025-5054.

Security Recommendations

Security expert Saeed Abbasi from Qualys warns that attackers exploiting these vulnerabilities can compromise system confidentiality, potentially leading to downtime, data breaches, and regulatory violations.

To protect Linux systems from such risks, experts recommend:

  • Applying official patches and updates as soon as they are available

  • Using mitigation commands like echo 0 > /proc/sys/fs/suid_dumpable where appropriate

  • Monitoring core dumps and access logs

  • Limiting access to local accounts and enforcing least privilege policies

  • Regularly auditing systems for suspicious activity or unknown users

These newly discovered Linux bugs remind us how even trusted system tools can become attack vectors. While the vulnerabilities require local access and precise timing, the risk of leaking sensitive data like password hashes is significant enough for administrators to act quickly. Keeping systems updated, disabling unnecessary core dumps, and tightening access controls are crucial steps to maintain the security and integrity of Linux environments.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : CVE-2025-47577, Critical File Upload Vulnerability Found in Wishlist WordPress Plugin

1 thought on “CVE-2025-5054 and CVE-2025-4598: Linux Core Dump Bugs Leak Passwords”

  1. Pingback: Three Zero-Day Bugs in Qualcomm Chips Patched After Active Exploits

Comments are closed.

Scroll to Top