Two newly disclosed vulnerabilities affecting Linux crash-handling utilities—Apport and systemd-coredump—pose a risk of sensitive data leakage on systems running Ubuntu, Red Hat Enterprise Linux, Fedora, and potentially others. The flaws, stemming from race conditions, may allow local attackers to extract contents of core dumps generated by privileged SUID processes.
The issues are tracked as:
- CVE-2025-5054 (CVSS 4.7) – Impacts Apport up to version 2.32.0
- CVE-2025-4598 (CVSS 4.7) – Impacts systemd-coredump
🛠 Vulnerability Overview
These bugs arise from the way core dumps are handled after a crash. Both Apport and systemd-coredump are designed to assist in analyzing faults in Linux systems—but the vulnerabilities show that under certain conditions, they can be tricked into exposing memory content of high-privilege processes.
- CVE-2025-5054 exploits PID reuse and Linux namespaces to fool Apport into sending a core dump into a container or isolated environment controlled by the attacker.
- CVE-2025-4598 enables attackers to crash a SUID binary and then rapidly replace it with a non-SUID process, gaining access to the original process’s sensitive core dump—potentially including contents of files like
/etc/shadow.
⚠️ Real-World Risk and Exploitation
Security researchers have demonstrated proof-of-concept (PoC) code showing how these flaws can be used to obtain hashed passwords from system processes like unix_chkpwd, which handles password verification. While the attack requires local access, precise timing, and technical sophistication, the implications are significant for multi-user systems or environments with untrusted users.
One key risk stems from SUID binaries, which run with elevated privileges. Linux systems that do not restrict core dump generation for these binaries are especially vulnerable.
🔒 Recommended Mitigations
To reduce exposure:
- Disable core dumps for SUID binaries using:
echo 0 > /proc/sys/fs/suid_dumpableThis setting prevents privileged processes from generating dump files after a crash. - Audit core dump handlers, especially in systems where systemd-coredump is installed manually (as is the case for Debian).
- Apply vendor patches as they become available.
- Monitor login activity and system crash events for unusual behavior.
“These flaws highlight the importance of tight privilege boundaries in crash reporting systems. If exploited, they could lead to leaks of passwords, encryption keys, or internal memory states—impacting both privacy and compliance posture.”
While Ubuntu is impacted by CVE-2025-5054, CVE-2025-4598 does not affect Ubuntu by default. Debian systems are generally unaffected unless the vulnerable coredump handler is explicitly installed.
🧩 Broader Impact
Vendors including Amazon Linux, Gentoo, and others have acknowledged the issues and are publishing advisories. The vulnerabilities affect confidentiality, not integrity or availability, but their potential for credential exposure or lateral movement inside compromised environments cannot be ignored.
📌 SecurityX Insight:
Even tools meant for diagnostics can become attack vectors when misconfigured or poorly isolated. Organizations running multi-user Linux environments should harden SUID handling, review crash dump policies, and stay proactive with patching and monitoring to prevent unintended data exposure.
