Two critical local information-disclosure vulnerabilities affecting millions of Linux systems worldwide, potentially allowing attackers to extract sensitive password data through core dump manipulation.

The Qualys Threat Research Unit (TRU) disclosed two race-condition vulnerabilities that target core dump handlers on major Linux distributions. The first vulnerability, CVE-2025-5054, affects Ubuntu’s Apport crash reporting system, while the second, CVE-2025-4598, impacts systemd-coredump, the default core dump handler used across Red Hat Enterprise Linux 9 and 10, as well as Fedora distributions.

Both vulnerabilities exploit race conditions that allow local attackers to manipulate SUID (Set User ID) programs and gain unauthorized read access to resulting core dumps.

Qualys researchers have developed proof-of-concept exploits demonstrating how attackers can target the unix_chkpwd process—a standard component for password verification installed by default on most Linux distributions to extract password hashes.

Core dump handlers like systemd-coredump and Apport automatically capture memory snapshots when programs crash, creating potential goldmines of sensitive information, including passwords, encryption keys, and customer data.

While these tools implement security measures like restricting access to root users and storing dumps in secure locations, the newly discovered race conditions circumvent these protections.

The vulnerabilities affect a broad range of systems. Ubuntu 24.04 and all Ubuntu releases since 16.04 are vulnerable through Apport versions up to 2.33.0.

Meanwhile, Fedora 40/41 and Red Hat Enterprise Linux 9 and 10 face exposure through systemd-coredump. Notably, Debian systems remain protected by default since they don’t include core dump handlers unless manually installed.

The potential impact extends beyond simple data exposure. Organizations face risks of operational downtime, reputational damage, and regulatory compliance violations. The ability to extract password hashes could enable attackers to escalate privileges and move laterally across compromised networks.

Security experts recommend immediately implementing a critical mitigation: setting the /proc/sys/fs/suid_dumpable parameter to 0. This configuration change disables core dumps for all SUID programs, effectively neutralizing the attack vector while organizations await official patches.

“While this modification will disable some debugging capabilities for SUID programs and root daemons, it serves as an essential temporary fix when vulnerable core dump handlers cannot be patched immediately,” security researchers noted.

Qualys also developed thoroughly tested mitigation scripts, allowing organizations to rapidly neutralize the threat. However, Qualys warns that broad implementation may introduce operational risks and recommends thorough testing in controlled environments.

This discovery underscores the critical importance of proactive vulnerability management and the need for robust mitigation strategies when patches aren’t immediately available.

Organizations should prioritize updating their core dump handlers while implementing the recommended temporary mitigations to protect against potential exploitation.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar