Emerging Linux Vulnerabilities Reveal Password Hashes through Core Dumps

Two local information-disclosure vulnerabilities have been identified in widely-used Linux crash-reporting tools, enabling potential attackers to gain access to sensitive system data.

The vulnerabilities, unveiled by the Qualys Threat Research Unit (TRU), affect Apport on Ubuntu and systemd-coredump on Red Hat Enterprise Linux (RHEL) and Fedora. The vulnerabilities are designated as CVE-2025-5054, which targets Apport, and CVE-2025-4598, which impacts systemd-coredump, utilized on RHEL 9, RHEL 10, and Fedora 40/41.

Both vulnerabilities are attributed to race-condition flaws that permit local users to exploit SUID programs to read core dumps from crashed processes. TRU’s proof-of-concept demonstrations successfully extracted password hashes from PLACEHOLDER1bbc6f628d8994a7 by manipulating the unixchkpwd utility, which is typically included by default in most Linux distributions.

“Crash handlers remain a hidden weak point in Linux hygiene,” stated Jason Soroko, senior fellow at Sectigo. “The discoveries tracked as CVE-2025-5054 and CVE-2025-4598 expose how engineers have incorporated legacy debugging tools into modern production images without adequate redesign.”

Soroko further noted, “Core dump helpers still inherit sufficient privilege to expose the complete shadow store. A local low-privilege user can wait for any SUID process to crash, race the handler, and extract hashes without triggering network detection.”

Core dumps are designed to store memory snapshots of applications that crash, which often include critical information such as credentials or cryptographic keys. Tools like Apport and systemd-coredump, although intended for debugging purposes, can inadvertently reveal essential data if not properly configured or updated.

The affected software versions include:
– Apport up to version 2.33.0 on all Ubuntu releases since 16.04, including 24.04.
– systemd-coredump on Fedora 40/41, RHEL 9, and RHEL 10.

Default Debian systems are not susceptible as they do not include systemd-coredump out of the box.

To mitigate this security risk, administrators are advised to:
– Set /proc/sys/fs/suid_dumpable to 0 to disable core dumps for all SUID programs.
– Implement available patches promptly.
– Strengthen access controls around core-dump handling utilities.

“Defenders should begin to treat crash management as a regulated data pipeline rather than a developer convenience,” Soroko emphasized. “Encrypt memory dumps in transit and at rest, enforce rapid shredding after triage, strip SUID binaries of the capability to write dumps, and ensure strict PID checks to verify handler identity. These preventative measures will incur minimal cost compared to the potential fallout from a breach caused by password hash theft.”