New Vulnerabilities Uncovered in Linux Core Dump Handlers Could Lead to Password Hash Theft
May 31, 2025
Recent findings from the Qualys Threat Research Unit (TRU) have revealed two significant vulnerabilities within core dump handlers in popular Linux distributions, including Ubuntu, Red Hat Enterprise Linux, and Fedora. Identified as CVE-2025-5054 and CVE-2025-4598, these flaws represent race condition bugs that may allow local attackers to access sensitive information, specifically password hashes, by exploiting core dump files.
Core dump handlers like Apport and systemd-coredump are crucial for managing crash reports and preserving debugging information within Linux environments. However, the vulnerabilities make it possible for an attacker to manipulate a setuid program to gain unauthorized read access to core dumps generated during application failures. Saeed Abbasi, a manager at Qualys TRU, emphasized the gravity of the situation, stating that these race conditions could expose sensitive data that should otherwise remain confidential.
CVE-2025-5054 carries a CVSS score of 4.7, highlighting a race condition in the Canonical apport package, effective up to version 2.32.0. This vulnerability permits a local attacker to exploit Process ID (PID) reuse by leveraging Linux namespaces, thereby breaching security protocols to extract sensitive data. Similarly, CVE-2025-4598, also rated with a 4.7 CVSS score, follows suit with a comparable race condition issue that poses an equivalent risk to system integrity.
The implications of these vulnerabilities are particularly concerning for businesses relying on Linux-based systems for their operations. With the potential to facilitate attacks that fall under multiple MITRE ATT&CK tactics—such as privilege escalation and initial access—organizations must remain vigilant. Attackers could leverage these vulnerabilities to create a foothold within networked systems, thereby opening the door to further exploitation.
The organization that falls prey to this type of exploitation could find itself facing not only reputational damage but also potential legal repercussions stemming from compromised data. The nature of the exploit not only threatens individual systems but could also jeopardize entire networks if exploited en masse.
For business owners, the news underscores the necessity for proactive cybersecurity measures. Regular updates and patch management of core software components are essential in mitigating these vulnerabilities. As cyber threats continue to evolve, understanding the tactics and techniques attributed to adversarial actions becomes increasingly vital for maintaining operational security.
In light of this incident, it is strongly advised that companies review their current security protocols and consider integrating enhanced monitoring systems. By closing the gaps highlighted by these vulnerabilities, businesses can better protect sensitive information against local threats that exploit fundamental weaknesses in the software supply chain.
