Linux Crash Reporting Flaws (CVE-2025-5054, 4598) Expose Password Hashes

Qualys details CVE-2025-5054 and CVE-2025-4598, critical vulnerabilities affecting Linux crash reporting tools like Apport and systemd-coredump. Learn how to protect your Ubuntu, Red Hat, and Fedora systems.

Cybersecurity experts at Qualys have uncovered two significant weaknesses in common Linux operating systems. These information disclosure vulnerabilities, found in software tools called Apport and systemd-coredump, could allow attackers to steal sensitive information like password hashes from affected systems, reveals Qualys’ report shared with Hackread.com.

****Understanding the Flaws****

The Qualys Threat Research Unit (TRU) identified these issues as race-condition vulnerabilities. This means an attacker can exploit a brief moment in time when a program is handling data to gain unauthorized access.

One vulnerability tracked as CVE-2025-5054 affects Apport, which is Ubuntu’s built-in system for reporting crashes. This flaw occurs because a check for detecting if a crashing process was replaced by another process in a container happened too late. This could lead to sensitive information being sent to the container, potentially leaking it.

The second, CVE-2025-4598, targets systemd-coredump, a similar tool serving as the default crash handler on Red Hat Enterprise Linux 9 and 10, as well as Fedora. This flaw allows an attacker to crash a SUID process (a program that runs with special permissions) and quickly replace it with a regular program.

If the attacker wins this race, they can then read the core dump of the original SUID process, gaining access to sensitive data that was in its memory, such as password hashes from the /etc/shadow file.

Both Apport and systemd-coredump are designed to create core dumps (snapshots of a program’s memory when it crashes). These dumps are very useful for developers trying to fix software problems. However, they can also contain private information, such as passwords or encryption keys. Normally, access to these files is restricted to prevent misuse.

According to Qualy’s blog post, its TRU has created proofs of concept (POCs) showing how a local attacker could use these vulnerabilities. Specifically, they’ve shown how an attacker could exploit a crashed program like unix_chkpwd (which checks user passwords) to steal password hashes from the /etc/shadow file, a critical system file containing user passwords.

“The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at high risk, as attackers could extract sensitive data, like passwords, encryption keys, or customer information from core dumps.”

Saeed Abbasi, Manager Product – Threat Research Unit, Qualys

****Who is Affected and How to Protect Yourself****

Many Linux systems are impacted by these newly discovered flaws. For Apport, all Ubuntu releases since 16.04 are vulnerable, with versions up to 2.33.0 being affected, including the recent Ubuntu 24.04.

Conversely, for systemd-coredump, Fedora 40 and 41, along with Red Hat Enterprise Linux 9 and the newly released RHEL 10, are at risk. Debian systems are generally safe by default unless systemd-coredump has been manually installed.

Exploiting these vulnerabilities could lead to serious security breaches, risking the confidentiality of sensitive data and potentially causing system downtime or reputational damage for organizations.

To help protect systems, Qualys recommends setting the /proc/sys/fs/suid_dumpable parameter to 0. This disables core dumps for programs that run with special permissions, which can act as a temporary fix if immediate software patches aren’t available. Qualys is also releasing new security scan IDs (QIDs), such as QID 383314, to help organizations detect these vulnerabilities.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), advises treating crash management as a secure data pipeline, isolating or disabling dump processing, encrypting dumps, shredding data post-triage, and tightening handler controls, to reduce risk and stay ahead of future threats.