New vulnerabilities in Linux components apport and systemd-coredump could allow local attackers to access sensitive information. Qualys researchers identified two race conditions that could be used to read core dumps from privileged processes. However, Red Hat emphasizes the complexity of an actual exploit.
The problems lie in the way Ubuntu and Red Hat Enterprise Linux handle crash reports. CVE-2025-5054 affects Canonical’s apport package up to version 2.32.0; CVE-2025-4598 revolves around a systemd-coredump. Both vulnerabilities exploit race conditions that allow a local attacker to crash a privileged process.
The attack works by quickly placing a new, non-privileged binary on the same process ID. This allows core memory files from the original process to be intercepted. Earlier this year, we saw problems in Linux components with the CUPS vulnerability that enabled remote code execution, which also involved race conditions.
Debian and Ubuntu affected differently
Interestingly, not all distributions are equally vulnerable. Debian systems are not susceptible to CVE-2025-4598 by default because they do not contain a core dump handler unless the systemd-coredump package is installed manually. Ubuntu releases are also unaffected.
Red Hat categorizes the threat as “moderate” due to its high complexity. An attacker must first win the race condition and have a local account without privileges. “These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump,” explains Qualys product manager Saeed Abbasi.
Temporary protection available
For organizations that cannot update immediately, Red Hat offers a workaround. By executing the command “echo 0 > /proc/sys/fs/suid_dumpable” as the root user, the ability for the system to generate core dumps for SUID binaries is disabled. This parameter determines whether SUID programs can produce core dumps after a crash.
Qualys developed proof-of-concept code for both vulnerabilities. This demonstrates how a local attacker can exploit the core dump of a crashed unix_chkpwd process to obtain password hashes from the /etc/shadow file. However, Canonical emphasizes that the impact is limited to the memory of SUID executables and that the PoC exploit has little relevance in practice.