Linux Flaws Expose Sensitive Data via Core Dumps

In a recent disclosure, the Qualys Threat Research Unit (TRU) has unearthed two local information disclosure vulnerabilities affecting core crash-reporting mechanisms in major Linux distributions. Assigned CVE-2025-5054 and CVE-2025-4598, these flaws exploit race conditions in Apport and systemd-coredump, potentially allowing local attackers to gain unauthorized access to sensitive system memory.

“The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at high risk,” Qualys warns, “as attackers could extract sensitive data, like passwords, encryption keys, or customer information from core dumps.”

The first vulnerability (CVE-2025-5054) impacts Apport, Ubuntu’s default crash-reporting tool. The second (CVE-2025-4598) targets systemd-coredump, widely used in Red Hat Enterprise Linux (RHEL) 9 & 10, Fedora 40/41, and numerous systemd-based distributions.

Both flaws arise from race conditions — bugs that occur when a system’s behavior depends on the timing of uncontrollable events. Exploiting these bugs, attackers can time access to SUID-generated core dumps, tricking the system into granting them read access to files normally restricted to root.

Using the affected crash handlers, Qualys developed proofs-of-concept (POCs) showing how an attacker could crash the unix_chkpwd process (responsible for validating passwords), capture its core dump, and extract password hashes from /etc/shadow — a file that should be inaccessible to non-privileged users.

“These POCs demonstrate how a local attacker can exploit the coredump of a crashed unix_chkpwd process… to obtain password hashes,” the TRU report explains.

This technique is particularly dangerous given how common the unix_chkpwd binary is across modern Linux distributions.

At its core, this vulnerability threatens confidentiality and integrity at the operating system level. Compromised core dumps may contain:

• Password hashes and secrets
• In-memory encryption keys
• API tokens or credentials
• Session information from active processes

In enterprise environments, a successful exploit could lead to regulatory violations, unauthorized data exposure, and significant reputational damage. As the report notes, these types of vulnerabilities are not new — but modern mitigation techniques still leave room for gaps:

“Systems running outdated or unpatched versions remain prime targets for vulnerabilities disclosed today.”

Until patches are fully rolled out, Qualys recommends disabling SUID-generated core dumps via the kernel parameter:

sudo sysctl -w fs.suid_dumpable=0

This blocks core dumps from privileged binaries, including those that might otherwise be exploitable.

“This modification will disable the interpreter scanning feature,” Qualys explains, “but it can act as a temporary fix if the vulnerable core-dump handler itself cannot be patched immediately.”

Affected versions include:

• Apport: All Ubuntu versions since 16.04 up to 24.04 (Apport ≤ 2.33.0)
• systemd-coredump: Fedora 40/41, RHEL 9 and RHEL 10
• Debian is not vulnerable by default unless systemd-coredump is manually installed

Related Posts:

• MaaS in Action: How Lumma Stealer Employs Advanced Delivery Techniques
• Ubuntu Security Alert: Three Ways to Bypass User Namespace Restrictions

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy