According to the Qualys Threat Research Unit (TRU), two disclosure flaws have been identified in Ubuntu, Red Hat Enterprise Linux and Fedora’s core dump handlers Appport and SystemD-Coredump.
When tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are racial bugs that allow local attackers to gain access to access sensitive information. Tools like Appport and SystemD-Coredump are designed to handle crash reports and core dumps on Linux systems.
“These race conditions allow local attackers to exploit the SUID program and gain read access to the resulting core dump,” said Saeed Abbasi, product manager at Qualys Tru.
A brief explanation of the two defects can be found below –
- CVE-2025-5054 (CVSS score: 4.7) – Race conditions for standard Appport packages up to 2.32.0 that allow local attackers to leak sensitive information via PID -Reuse by leveraging namespaces
- CVE-2025-4598 (CVSS Score: 4.7) – With the racing condition of SystemD-Coredump that forces an attacker to crash a SUID process and allows the attacker to access the original privileged process CoreDump, allowing the attacker to read sensitive data such as /etc /shadow content loaded into the original process.
SUID, short for SET user ID, is a special file permission that allows users to run programs with owner privileges rather than their own permission.
“When an application crashes, Appport tries to detect whether the crash process is running inside the container before performing a consistency check,” says Octavio Galland of Canonical.
“This means that if a local attacker induces a crash in a privileged process and quickly replaces it with another process with the same process ID in the mount and PID namespace, Appport will try to forward a core dump (which may contain sensitive information belonging to the original privileged process) into the namespace.”
According to Red Hat, CVE-2025-4598 has been rated moderately severity, noting that the high complexity in pulling vulnerability exploits means that attackers must first win racial conditions and own local accounts in non-residential places.
As a mitigation, Red Hat said that users can run the command “Echo 0>/proc/sys/fs/suid_dumpable” as the root user.
The “/proc/sys/fs/suid_dumpable” parameter essentially controls whether a SUID program can generate a core dump after a crash. By setting it to zero, it disables core dumps for all SUID programs and prevents them from being analyzed in the event of a crash.
“This will disable the ability to analyze crashes for such binary, whilst this vulnerability will not allow SystemD packages to be updated,” says Red Hat.
Similar recommendations have been issued by Amazon Linux, Debian, and Gentoo. It is worth noting that the Devine System is not affected by CVE-2025-4598 by default, as it does not contain a core dump handler unless the SystemD-Coredump package is installed manually. CVE-2025-4598 will not affect Ubuntu releases.
Qualys has also developed proof of concept (POC) code for both vulnerabilities, demonstrating how local attackers can leverage coredump in the crashed UNIX_CHKPWD process.
The impact of CVE-2025-5054 stated that the impact of CVE-2025-5054 is limited to the confidentiality of the memory space of the called SUID executable, and that POC exploits could have hashed and leak user passwords.
“Exploitation of the Appport and SystemD-Coredump vulnerabilities can significantly undermine high-risk confidentiality, as attackers can extract sensitive data such as passwords, encryption keys, and customer information from core dumps,” Abbasi said.
“Drawer fallout includes operational downtime, reputational damage, and potential violations of regulations. To effectively mitigate these multifaceted risks, businesses must prioritize patching and mitigation, enforce robust monitoring and tighten access controls, and adopt proactive security measures.”
