The Vulnerability
Two information disclosure flaws recently surfaced in apport and systemd-coredump, the core dump handlers used in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU).
Tracked as CVE-2025-5054 and CVE-2025-4598, these vulnerabilities stem from race condition bugs. Consequently, a local attacker could exploit them to gain access to sensitive information. Tools like Apport and systemd-coredump manage crash reporting and core dumps in Linux systems.
“These race conditions enable a local attacker to exploit a SUID program and directly read the resulting core dump,” said Saeed Abbasi, manager of product at Qualys TRU.
A brief description of the two flaws follows:
- CVE-2025-5054 (CVSS score: 4.7) – This race condition affects Canonical’s apport package up to and including version 2.32.0. It allows a local attacker to leak sensitive information by reusing PIDs and leveraging namespaces.
- CVE-2025-4598 (CVSS score: 4.7) – This race condition exists in systemd-coredump and lets an attacker force a SUID process to crash. The attacker can then replace it with a non-SUID binary, allowing access to the privileged process’s core dump. As a result, sensitive data like the contents of
/etc/shadow
may be exposed.
How it works
SUID, short for Set User ID, refers to a special file permission that lets a user execute a program with the file owner’s privileges rather than their own.
“When analyzing application crashes, apport attempts to detect if the crashing process was running inside a container before performing consistency checks on it,” according to Canonical’s Octavio Galland.
Therefore, if a local attacker induces a crash in a privileged process and quickly replaces it with another process that shares the same PID and resides within a mount and pid namespace, apport may forward the core dump—which could contain sensitive data from the original privileged process—into the namespace.
Red Hat, for its part, rated CVE-2025-4598 as Moderate in severity. It explained that exploiting the flaw involves high complexity, as the attacker must win the race condition and already possess an unprivileged local account.
As a mitigation step, Red Hat advised users to run the command echo 0 > /proc/sys/fs/suid_dumpable
as the root user. This disables the system’s ability to generate core dumps for SUID binaries.
The /proc/sys/fs/suid_dumpable
parameter essentially governs whether SUID programs can produce core dumps after crashing. By setting it to zero, the system prevents SUID programs from creating core dumps and blocks further crash analysis for those binaries.
“While this measure helps mitigate the vulnerability in the absence of an available update to the systemd package, it does prevent debugging crashes in SUID binaries,” Red Hat noted.
Additionally, Amazon Linux, Debian, and Gentoo have released similar advisories. Notably, Debian systems remain unaffected by CVE-2025-4598 by default, since they don’t ship with a core dump handler unless the systemd-coredump
package is manually installed. Furthermore, CVE-2025-4598 does not impact any Ubuntu releases.
Meanwhile, Qualys developed proof-of-concept (PoC) code for both vulnerabilities. This code shows how a local attacker could exploit the core dump of a crashed unix_chkpwd
process—used to validate user passwords—to extract password hashes from the /etc/shadow
file.
Canonical also issued its own alert, stating that CVE-2025-5054 impacts only the confidentiality of memory accessed by invoked SUID executables. It added that while the PoC can leak hashed passwords, the real-world impact remains limited.
Abbasi emphasized the broader implications: “Exploiting vulnerabilities in Apport and systemd-coredump could significantly compromise confidentiality, enabling attackers to extract sensitive data such as passwords, encryption keys, or customer information from core dumps.”
He concluded, “The consequences include operational disruptions, reputational harm, and possible regulatory violations. To effectively mitigate these multifaceted risks, enterprises should adopt proactive security strategies, prioritize patches and mitigations, enhance monitoring, and enforce strict access controls.”
Source: TheHackerNews
Read more at Impreza News