Full Report
Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU). Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like
Analysis Summary
# Vulnerability: Race Condition Information Disclosure in Apport and systemd-coredump
## CVE Details
- CVE ID: CVE-2025-5054, CVE-2025-4598
- CVSS Score: 4.7 (Medium) for both
- CWE: Race Condition (Not explicitly stated, but implied by description)
## Affected Systems
- Products: Canonical `apport`, `systemd-coredump`
- Versions:
- `apport`: Up to and including 2.32.0 (for CVE-2025-5054)
- `systemd-coredump`: Specific vulnerable versions not listed, but applies to distributions using it.
- Configurations: Systems where core dump handling for SUID binaries is enabled. Debian systems are only affected if `systemd-coredump` is manually installed. Ubuntu releases are noted as *not* susceptible to CVE-2025-4598.
## Vulnerability Description
Both vulnerabilities are race condition flaws in Linux core dump handlers (`apport` and `systemd-coredump`) that allow a local attacker to potentially gain read access to sensitive information contained within a core dump generated by a SUID program.
**CVE-2025-5054 (apport):** A race condition allows an attacker to leak sensitive information via PID-reuse by leveraging namespaces during apport's consistency checks on a crashing process within a container environment.
**CVE-2025-4598 (systemd-coredump):** An attacker can exploit a race condition to force a SUID process to crash, quickly replace the process with a non-SUID binary using the same PID, tricking `systemd-coredump` into writing a core dump containing the privileged process's memory state (e.g., sensitive data like `/etc/shadow` content).
## Exploitation
- Status: PoC available (Qualys TRU has demonstrated exploitation targeting `unix_chkpwd` to leak password hashes from `/etc/shadow`).
- Complexity: Medium (Red Hat noted high complexity as it requires an unprivileged local account and successfully triggering the race condition).
- Attack Vector: Local
## Impact
- Confidentiality: High (Sensitive data like password hashes, encryption keys can be leaked from core dumps).
- Integrity: Low (Not the primary impact)
- Availability: Low (Not the primary impact)
## Remediation
### Patches
Patches are generally available from vendors involved (Canonical, Red Hat, etc.). Users should apply security updates for `apport` and `systemd`.
Specific patches for `apport` should ensure version supersedes 2.32.0.
### Workarounds
As a temporary mitigation for CVE-2025-4598 (systemd-coredump), users can disable core dump generation for SUID binaries by running the following command as root:
echo 0 > /proc/sys/fs/suid_dumpable
**Note:** This workaround prevents analysis of crashes for SUID binaries.
## Detection
- Indicators of Compromise: Look for unexpected core dump files written outside of standard locations, or unusual process activity potentially involving rapid PID reuse near a program crash.
- Detection methods and tools: Focused monitoring of crash reporting mechanisms and system calls related to process creation and file access during crashes.
## References
- Vendor advisories from Canonical and Red Hat.
- Qualys TRU Report on CVE-2025-5054 and CVE-2025-4598.
- Relevant links - defanged:
- hxxps://wiki.ubuntu.com/Apport
- hxxps://www.freedesktop.org/software/systemd/man/latest/systemd-coredump.html
- hxxps://www.openwall.com/lists/oss-security/2025/05/29/3
- hxxps://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
- hxxps://ubuntu.com/blog/apport-local-information-disclosure-vulnerability-fixes-available
- hxxps://access.redhat.com/security/cve/CVE-2025-4598
- hxxps://explore.alas.aws.amazon.com/CVE-2025-4598.html
- hxxps://security-tracker.debian.org/tracker/CVE-2025-4598
- hxxps://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-4598