Two native information-disclosure vulnerabilities have been recognized in fashionable Linux crash-reporting instruments, permitting attackers to entry delicate system knowledge.
The vulnerabilities, uncovered by the Qualys Risk Analysis Unit (TRU), affect Apport on Ubuntu and systemd-coredump on Purple Hat Enterprise Linux (RHEL) and Fedora.
CVE-2025-5054 targets Apport, Ubuntu’s crash-reporting framework, whereas CVE-2025-4598 impacts systemd-coredump, used on RHEL 9, RHEL 10 and Fedora 40/41.Â
Each are race-condition flaws that allow native customers exploit SUID packages to learn core dumps from crashed processes.
In proof-of-concept demonstrations, TRU efficiently extracted password hashes from /and so forth/shadow by focusing on the unix_chkpwd utility, which is current by default on most Linux distributions.
“Crash handlers stay a hidden weak level in Linux hygiene,” stated Jason Soroko, senior fellow at Sectigo.
“The discoveries tracked as CVE-2025-5054 and CVE-2025-4598 expose how engineers have positioned legacy debug instruments inside trendy manufacturing photographs with out redesign.”
He added that, “Core dump helpers nonetheless inherit sufficient privilege to disclose all the shadow retailer. An area low-privilege consumer can look forward to any SUID course of to crash, then race the handler and loot hashes with out tripping community detection.”
Learn extra on Linux safety: New Linux Vulnerabilities Surge 967% in a 12 months
Core dumps retailer reminiscence snapshots of crashing functions, usually together with credentials or cryptographic keys.
Instruments like Apport and systemd-coredump have been designed for debugging however can inadvertently expose important knowledge if misconfigured or left unpatched.
Affected software program consists of:
-
Apport as much as model 2.33.0 on all Ubuntu releases since 16.04, together with 24.04
-
systemd-coredump on Fedora 40/41, RHEL 9 and RHEL 10
Debian methods should not affected by default, as they don’t pre-install systemd-coredump.
To cut back publicity, directors are suggested to:
-
Set /proc/sys/fs/suid_dumpable to 0 to disable core dumps for all SUID packages
-
Apply obtainable patches as quickly as potential
-
Tighten entry controls round core-dump dealing with utilities
“Defenders ought to start to deal with crash administration as a regulated knowledge pipeline as a substitute of a developer comfort,” Soroko stated.
“Encrypt reminiscence dumps in flight and at relaxation and implement speedy shredding as soon as triage ends. Strip SUID binaries of the flexibility to jot down dumps and confirm handler identification with strict PID checks. These modifications will find yourself costing little in contrast with a breach triggered by password hash theft.”
