A pair of high-severity vulnerabilities discovered by Qualys threaten the security of millions of Linux systems worldwide, exposing hashed credentials stored in / etc / shadow through race condition exploits in the core-dump handlers of major distributions.
These vulnerabilities, tracked as CVE-2025-5054 (apport on Ubuntu) and CVE-2025-4598 (systemd-coredump on Red Hat Enterprise Linux, Fedora, and others), underscore the persistent dangers of subtle bugs in privileged code.
The Technical Analysis
At the core of these vulnerabilities is a classic but powerful “kill-and-replace” race condition targeting the way core dump handlers analyze crashing processes.
When a privileged binary, such as the SUID/SGID unix_chkpwd (used by PAM for password verification), is crashed by an attacker at a precise moment, its memory including the contents of / etc / shadow remains in the core dump.
The attacker then rapidly kills the crashed process and spawns a new process that reuses the same PID. This deception can lead the core-dump handler apport or systemd coredump to analyze the wrong process metadata.
If the handler is sufficiently misled, it may grant the attacker unauthorized access to the core dump from the original, privileged process.
The attack is non-trivial and requires careful orchestration. The attacker first executes a SUID/SGID binary and waits until it has loaded secrets (like password hashes) into memory.
By monitoring filesystem events such as the close of / etc / passwd, which precedes / etc / shadow being read—they can crash the process at the optimal moment.
Timing is critical: crash too soon, and secrets have not yet been loaded; too late, and they are overwritten. Winning the “kill-and-replace” race requires recycling the PID of the crashed process, which can take notable time as modern kernels support millions of PIDs.
Proof of concept
Proof of concept exploits (see below) typically employ rapid process creation with namespace tricks to reliably win the race.
On Ubuntu, for example, the attack abuses the fact that apport’s security checks are only performed after a function _check_global_pid_and_forward() which can be fooled into analyzing a non-privileged process.
This allows an attacker to receive the file descriptor of the core dump via apport’s internal socket and read its contents, including password hashes:
shell$y$j9T$KC0.pKjUYzrr3L8VVNQ8l/$11KufHkbNKHRxgolryPxDQDZ.Ox9kG4RIv0Pxe1FgxA
theadmin:$6$7Ag0AvjQl4XQvSO4$T1mMcQeC0K7FICHEj9pNV20XcUX4IW6Xqg45lyuORtia1vPCOy2Zr...
On Fedora and RHEL, systemd-coredump is even more vulnerable as it lacks sufficient protection against the kill and replace scenario.
The attacker doesn’t even require namespaces just a rapid process respawn with matching UID/GID and a manipulated argv to slow down handler analysis.
Core dumps are then accessed with tools like coredumpctl, revealing password hashes and sometimes even sensitive daemon memory.
Evidence from both advisory and proofs-of-concept shows password hashes from / etc / shadow being exposed, posing catastrophic risks for privilege escalation and offline hash cracking.
Access to such hashes can directly lead to full root compromise on affected machines.
Mitigation, Patching, and Long-Term Solutions
In response to these revelations, Qualys and major Linux vendors recommend immediate mitigations. Administrators should disable setuid core dumps as an urgent workaround:
bashecho 0 > / proc / sys / fs / suid_dumpable
This prevents core dumps for SUID/SGID binaries but may hinder debugging workflows. Permanent fixes involve updating apport and systemd-coredump to:
- Always respect the kernel’s per-process “dumpable” flag (
%din/ proc/ sys / kernel / core_pattern). - Adopt the new
%Fspecifier, implemented during disclosure coordination, to uniquely identify the crashed process even if its PID is recycled.
Patches are rolling out across distributions. All Linux environments, especially servers and cloud deployments, should audit and update core dump configurations immediately.
