Introduction
This document addresses two significant local information disclosure vulnerabilities, CVE-2025-5054 and CVE-2025-4598 [1] [2] [4] [6] [8] [9] [10] [11] [12], found in the core dump handling mechanisms of major Linux distributions. These vulnerabilities pose a substantial risk to systems running Ubuntu, Red Hat Enterprise Linux (RHEL) [1] [2] [4] [6] [8] [9] [10] [12], and Fedora [2] [4] [8] [9] [10] [11] [12], potentially affecting millions of systems by allowing local attackers to extract sensitive data through core dump manipulation.
Description
Two critical local information disclosure vulnerabilities [1] [8] [9] [11] [12], CVE-2025-5054 and CVE-2025-4598 [1] [2] [4] [6] [8] [9] [10] [11] [12], have been identified in the core dump handling mechanisms of major Linux distributions, including Ubuntu [2] [6] [8], Red Hat Enterprise Linux (RHEL) [1] [2] [4] [6] [8] [9] [10] [12], and Fedora [2] [4] [8] [9] [10] [11] [12], affecting millions of systems [10]. These vulnerabilities arise from race conditions in the processing of crashes from Set User ID (SUID) programs, allowing local attackers to extract sensitive data [3] [8] [9] [10] [12], including password hashes [1] [5] [6] [9] [10] [11] [12], through core dump manipulation [8]. The implications of these vulnerabilities are particularly severe for enterprise environments [10], where Linux servers support critical infrastructure [10], as the core dump mechanism captures snapshots of a program’s memory at the time of a crash [10], often including protected data [10].
CVE-2025-5054 is a race condition vulnerability in Canonical’s Apport [3], the default crash-reporting tool for Ubuntu, affecting versions up to 2.33.0 across all releases from 16.04 to 24.04. This vulnerability enables local attackers to exploit mishandling of process IDs (PIDs) during the crash reporting process [3], leveraging PID reuse and Linux namespaces to redirect core dumps containing sensitive memory data from the /etc/shadow file into an attacker-controlled namespace [12]. The main risk associated with CVE-2025-5054 is the potential leakage of sensitive information [3], compromising data confidentiality and integrity [1] [3], and increasing the attack surface for local attackers [3].
CVE-2025-4598 impacts systemd-coredump [1] [4] [6] [7] [8] [9] [11] [12], utilized in RHEL versions 9 and 10, as well as Fedora versions 40 and 41. Attackers can exploit this vulnerability by crashing a privileged process, such as unix_chkpwd, and quickly replacing it with a non-privileged process [2], leading to unauthorized read access to privileged core dumps that may contain critical data, including passwords and encryption keys [8] [11]. It is important to note that default installations of Debian systems are generally safe from CVE-2025-4598 unless systemd-coredump has been manually installed. Red Hat categorizes the threat as “moderate” due to the complexity of the exploit [5], which requires a local account without privileges [5].
Both vulnerabilities have a CVSS score of 4.7 (MEDIUM) [7], indicating that they require local access and have high attack complexity, with the primary impact being on the confidentiality and integrity of the memory space of invoked SUID executables [7]. The potential consequences of these vulnerabilities include operational downtime, reputational damage [1] [8] [9] [12], and regulatory compliance violations [8] [9] [12], as the ability to extract password hashes could allow attackers to escalate privileges and move laterally within networks [8]. A breach involving the theft of password hashes could enable attackers to crack credentials offline [10], leading to unauthorized access to systems or lateral movement within networks [10], which is particularly concerning for industries like finance and healthcare [10], where data integrity and confidentiality are critical [10].
To mitigate these vulnerabilities [4] [6] [7] [8] [9] [10] [11] [12], it is recommended to promptly apply available patches, upgrade all packages [7], and tighten access controls around core dump handling utilities [4]. System administrators should review core dump configurations to prevent sensitive data from being written to disk [10]. Organizations may face challenges in applying patches promptly due to the potential for broader system impacts [3], leading to prolonged exposure to risks until proper updates are implemented and tested [3]. For those unable to update immediately [5], a temporary workaround involves disabling core dumps for SUID binaries by setting the kernel parameter /proc/sys/fs/suid_dumpable to 0, effectively neutralizing the attack vector until official patches are available [8]. While this measure may restrict debugging capabilities, it serves as a critical fix [8]. Additionally, thoroughly tested mitigation scripts have been developed to help organizations rapidly address the threat [8], although broad implementation may introduce operational risks and should be tested in controlled environments [8].
For maximum protection [7], it is essential to apply security updates and treat crash management as a secure data pipeline. This includes implementing measures such as isolating dump processing [6], encrypting memory dumps [4], enforcing rapid shredding after triage [4], and stripping SUID binaries of the ability to write dumps while verifying handler identity with strict PID checks [4]. Organizations using Qualys Cloud Agent can also utilize the TruRisk™ Eliminate module for automated mitigation deployment and streamlined vulnerability management [12]. Implementing passwordless authentication solutions can further enhance security by reducing reliance on traditional passwords and minimizing the risk associated with these vulnerabilities [9]. Constant vigilance is essential to protect even the most trusted systems from emerging threats [10], highlighting the need for robust security practices in open-source ecosystems [10], including regular audits and proactive monitoring to identify misconfigurations before they can be exploited [10].
Conclusion
The vulnerabilities CVE-2025-5054 and CVE-2025-4598 present significant risks to Linux systems, particularly in enterprise environments. Immediate action is required to mitigate these threats through patch application, system upgrades, and enhanced access controls [4]. Organizations must remain vigilant, employing robust security practices and proactive monitoring to safeguard against potential exploits. The implementation of passwordless authentication and secure crash management processes will further fortify systems against future vulnerabilities, ensuring the integrity and confidentiality of critical data.
References
[1] https://securityonline.info/linux-flaws-expose-sensitive-data-via-core-dumps/
[2] https://www.bitdefender.com/en-us/blog/hotforsecurity/intentionally-crashing-apps-on-linux-could-expose-password-hashes
[3] https://securityvulnerability.io/vulnerability/CVE-2025-5054
[4] https://www.infosecurity-magazine.com/news/linux-vulnerabilities-expose/
[5] https://www.techzine.eu/news/security/131888/linux-security-flaw-gives-hackers-access-to-sensitive-data/
[6] https://hackread.com/linux-crash-reporting-flaws-expose-password-hashes/
[7] https://ubuntu.com/blog/apport-local-information-disclosure-vulnerability-fixes-available
[8] https://cybersecuritynews.com/linux-vulnerabilities-expose-password-hashes/
[9] https://securityboulevard.com/2025/06/critical-linux-vulnerabilities-risk-password-hash-theft-worldwide/
[10] https://www.webpronews.com/critical-linux-flaws-expose-passwords-on-major-systems/
[11] https://cybermaterial.com/linux-core-dump-flaws-risk-password-leaks/
[12] https://gbhackers.com/new-linux-security-bugs/
