Cybersecurity experts are raising concerns about newly discovered vulnerabilities in several widely used Linux distributions that could potentially expose sensitive password information.
These flaws, primarily affecting the way core dump files are handled after application crashes, create an opportunity for local attackers to gain unauthorized access to password hashes and other critical data.
The Qualys Threat Research Unit (TRU) recently identified two race condition vulnerabilities, tracked as CVE-2025-5054 and CVE-2025-4598, in the core dump handling mechanisms of Ubuntu (Apport) and Red Hat-based systems like Red Hat Enterprise Linux and Fedora (systemd-coredump).
These vulnerabilities arise from the way these systems collect data when programs unexpectedly terminate. An attacker with local access could exploit these flaws to read core dump logs, which might inadvertently contain sensitive information such as password hashes stored in the /etc/shadow file and encryption keys.
According to Saeed Abbasi, Manager of Product at Qualys TRU, successful exploitation of these vulnerabilities could severely compromise the confidentiality of systems, leading to the extraction of sensitive data. This could result in operational downtime, reputational damage, and potential regulatory non-compliance.
While the vulnerabilities require local access, meaning an attacker would already need some level of access to the system, the potential for privilege escalation and further compromise is significant.
Proof-of-concept exploits have already been developed, demonstrating how an attacker could crash the unix_chkpwd process, used for verifying user credentials, and intercept its core dump to retrieve shadow file contents, bypassing conventional permission controls.
In response to these findings, security advisories have been issued by Canonical (Ubuntu) and Red Hat. As a temporary mitigation, Qualys recommends immediately setting the /proc/sys/fs/suid_dumpable setting to 0.
This action disables core dumps for Set-User-ID (SUID) programs, which are often involved in privilege escalation. However, this also disables the ability to analyze crashes for these binaries, which can be useful for debugging.
System administrators are also advised to limit access to core dump directories such as /var/lib/systemd/coredump and to audit local user activity on potentially impacted systems.
Longer-term solutions will involve patching the affected components. Users of Ubuntu 24.04 and older versions, as well as Fedora 40/41 and Red Hat Enterprise Linux 9 and 10, are particularly urged to stay informed about security updates from their respective distributions.
These newly discovered vulnerabilities serve as a critical reminder of the ongoing need for vigilance and timely patching in Linux environments to protect sensitive information and maintain system security.
