Vulnerabilities in Linux Crash Handlers Expose Access to /etc/shadow
Password leaks are now just a matter of milliseconds.Two information disclosure vulnerabilities have been identified in the memory dump handlers Apport and systemd-coredump, affecting Linux systems including Ubuntu, Red Hat Enterprise Linux, and Fedora. These vulnerabilities, reported by the Qualys Threat Research Unit (TRU), are race conditions tracked under CVE-2025-5054 and CVE-2025-4598. They could allow a local user to access sensitive information stored in the memory dumps of privileged processes.
Apport and systemd-coredump tools are designed to automatically collect information during program crashes by creating core dump files, which contain a snapshot of the memory of a crashed process. If the crash occurs in a program with the SUID (Set User ID) flag, these dumps could contain sensitive data because the executed program had higher privileges than a regular user.
CVE-2025-5054 (CVSS score 4.7) affects the Apport package up to version 2.32.0 inclusive. It’s related to how Apport determines if a crash was triggered by a process inside a container. If an attacker triggers a privileged process crash and immediately launches a process with the same PID inside the namespace environment, Apport could mistakenly transmit a dump of the new process containing data from the original one, exposing confidential information.
CVE-2025-4598 (CVSS score 4.7) was discovered in systemd-coredump and concerns the handling of dumps from SUID processes. A malicious user could trigger a privileged process crash and then replace the binary with a normal (non-SUID) one using the same PID to obtain a memory dump of the original process. This would allow access to files such as /etc/shadow, which contains hashed user passwords.
Although both vulnerabilities require precise timing and specific conditions to exploit, the consequences are severe. In Qualys’ demonstration, an attacker could obtain a dump from the unix_chkpwd process (used for password verification) and extract password hashes from /etc/shadow.
Canonical confirmed that CVE-2025-5054 could indeed lead to the leak of memory from SUID processes, but in most cases, the impact is limited to confidentiality, with no direct privilege escalation or arbitrary code execution. Nevertheless, the PoC (Proof of Concept) exploit confirms the possibility of password hash leakage.
As for CVE-2025-4598, Red Hat classified it as a medium-severity vulnerability, noting the high complexity of exploitation: the attacker must replace the process, winning the race condition, while having local, non-privileged access.
As a temporary protective measure, Red Hat recommends disabling core dumps for SUID programs with the command:
This should be executed as root. This reduces the risk of data leaks but also disables the ability to diagnose crashes of these programs through memory dumps.
Similar recommendations and warnings have been issued by Amazon Linux, Debian, and Gentoo. It is important to note that Debian systems do not use systemd-coredump by default, and therefore, are not affected by CVE-2025-4598 unless the relevant package is explicitly installed. Additionally, Ubuntu is not affected by this particular vulnerability.
Qualys representatives emphasized that ignoring the risks associated with memory dump handler vulnerabilities could lead to the leakage of critical information, including passwords, encryption keys, and personal data. This poses not only technological but also legal and reputational risks. Organizations are strongly advised to apply updates, implement protective measures, increase monitoring, and tighten access controls.
