Critical Vulnerabilities in Linux Enable Exfiltration of Password Hashes through Core Dumps in Ubuntu, RHEL, and Fedora

Two information disclosure vulnerabilities have been identified in Apport and systemd-coredump, the core dump handling systems used in various Linux distributions, including Ubuntu, Red Hat Enterprise Linux, and Fedora. These vulnerabilities, tracked as CVE-2025-5054 and CVE-2025-4598, are both race condition bugs that could potentially allow a local attacker to gain access to sensitive information.

The Apport and systemd-coredump tools are essential for handling crash reporting and core dumps in Linux environments. The vulnerabilities enable attackers to exploit a SUID program, leading to unauthorized read access to sensitive core dump data.

Saeed Abbasi, a manager at Qualys Threat Research Unit, noted, “These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump.”

Description of Vulnerabilities

– CVE-2025-5054 (CVSS score: 4.7): This vulnerability exists in the Canonical Apport package up to version 2.32.0, allowing a local attacker to leak sensitive information via PID reuse by leveraging namespaces.
– CVE-2025-4598 (CVSS score: 4.7): This flaw in systemd-coredump permits an attacker to force a SUID process to crash and subsequently replace it with a non-SUID binary, thus gaining access to the original privileged process’s core dump. This can enable the attacker to read sensitive data, such as content from the /etc/shadow file.

SUID, or Set User ID, is a special file permission that allows a user to execute a program with the privileges of its owner, rather than their own user privileges.

Octavio Galland from Canonical explained that during analysis of application crashes, Apport attempts to identify if the crashing process was operating within a container. If an attacker manages to induce a crash in a privileged process and swiftly replaces it with another process with the same ID in a mount and PID namespace, Apport may inadvertently forward the core dump that could contain confidential information from the original process.

Red Hat classified CVE-2025-4598 as having a moderate severity rating, citing the complexity involved in executing an exploit. However, successful exploitation requires the attacker to initiate the race condition and possess an unprivileged local account.

Mitigation Recommendations

Red Hat recommends running the command echo 0 > /proc/sys/fs/suid_dumpable as a root user to prevent the system from generating core dumps for SUID binaries. This parameter controls whether SUID programs can produce core dumps upon crashing, and setting it to zero disables core dumps for all SUID programs to reduce the risk associated with these vulnerabilities.

It is important to note that while this mitigation minimizes the risk of these vulnerabilities when updates cannot be applied, it also disables the ability to analyze crashes concerning such binaries. Similar advisories have been disseminated by other organizations, including Amazon Linux, Debian, and Gentoo. Notably, Debian systems are not affected by CVE-2025-4598 by default, as they do not include a core dump handler unless the systemd-coredump package is manually installed, and this vulnerability does not impact Ubuntu releases.

Qualys has also produced proof-of-concept code illustrating how a local attacker could exploit the coredump of a crashed unix_chkpwd process to extract password hashes from the /etc/shadow file.

Canonical has stated that the impact of CVE-2025-5054 is limited to the confidentiality of the memory space of invoked SUID executables, and the proof-of-concept leaks of hashed user passwords have a restricted real-world impact.

As highlighted by Abbasi, “The exploitation of vulnerabilities in Apport and systemd-coredump can seriously compromise confidentiality, as attackers could extract sensitive data from core dumps. This poses operational risks, reputational damage, and possible non-compliance issues. Enterprises should implement proactive security measures, prioritize patches and mitigations, enhance monitoring, and strengthen access controls to effectively address these multifaceted risks.”