Do Son 
Two information disclosure vulnerabilities have been identified in Linux systems, including Ubuntu, Red Hat Enterprise Linux, and Fedora, affecting the memory dump handlers Apport and systemd-coredump. The discovery was reported by specialists at the Qualys Threat Research Unit (TRU). Both flaws are race conditions and are tracked as CVE-2025-5054 and CVE-2025-4598. They may allow a local user to gain access to sensitive data contained in memory dumps of privileged processes.
The tools Apport and systemd-coredump are designed to automatically collect diagnostic information in the event of application crashes, generating what are known as core dump files—snapshots of the memory state of a process at the time of failure. If the crash occurs in a program bearing the SUID (Set User ID) flag, these dumps can contain sensitive content, as the application may have had elevated privileges beyond those of a standard user.
CVE-2025-5054 (CVSS score 4.7) affects Apport versions up to and including 2.32.0. It relates to how Apport determines whether a crash occurred within a containerized environment. If an attacker triggers a crash in a privileged process and quickly launches a new process with the same PID inside a namespace, Apport may mistakenly associate the dump of the original process with the new one—granting access to confidential data.
CVE-2025-4598 (also CVSS 4.7) was found in systemd-coredump and involves its handling of dumps from SUID processes. A malicious user can induce a crash in a privileged process, then rapidly replace the executable with a non-SUID binary bearing the same PID to gain access to the memory of the original process. This technique could expose, for instance, the contents of /etc/shadow, where password hashes are stored.
Though both vulnerabilities require precise timing and specific conditions to exploit, their impact is significant. A demonstration by Qualys revealed how an attacker could obtain a memory dump of the unix_chkpwd process, used to verify user passwords, and extract password hashes from /etc/shadow.
Canonical has confirmed that CVE-2025-5054 can indeed lead to the leakage of SUID process memory. However, in most scenarios, the impact is limited to confidentiality, without enabling privilege escalation or arbitrary code execution. Nevertheless, proof-of-concept exploits have validated the feasibility of extracting hashed passwords.
Regarding CVE-2025-4598, Red Hat has classified it as a medium-severity vulnerability, citing the complexity of exploitation: the attacker must win the race condition and possess local, non-privileged access to the system.
As a temporary mitigation, Red Hat advises disabling core dumps for SUID programs using the command echo 0 > /proc/sys/fs/suid_dumpable, which must be executed as root. While this reduces the risk of data leakage, it also disables crash diagnostics via memory dumps for such programs.
Similar advisories have been issued by Amazon Linux, Debian, and Gentoo. It is worth noting that Debian systems do not enable systemd-coredump by default and are therefore not affected by CVE-2025-4598 unless the relevant package is explicitly installed. Ubuntu, likewise, is not impacted by this vulnerability.
Qualys emphasized that overlooking vulnerabilities in memory dump handlers can result in the exposure of critical data, including passwords, encryption keys, and personal information. This carries not only technical ramifications but also legal and reputational consequences. Organizations are strongly encouraged to apply patches, implement mitigations, enhance monitoring, and tighten access controls.
Donate