Pierluigi Paganini
May 31, 2025
Researchers discovered a vulnerability in Apport (Ubuntu’s core dump handler) and another bug in systemd-coredump, which is used in the default configuration of Red Hat Enterprise Linux 9 and the Fedora distribution.
systemd-coredump automatically captures “core dumps” (snapshots of a program’s memory), when an application crashes. These dumps can be saved or logged in the system journal, making it easier for developers to inspect them later using tools like GDB. While useful for debugging, core dumps often contain sensitive data, so access is restricted to root by default. It’s used in many Linux distributions like Fedora, RHEL 8+, SUSE, and Arch.
Apport is Ubuntu’s built-in crash reporting tool. When an app crashes, Apport collects important details like stack traces, logs, and package info, and creates a report for developers. These reports can sometimes include personal or system data.
“The Qualys Threat Research Unit (TRU) has discovered two local information-disclosure vulnerabilities in Apport and systemd-coredump.” reads the Qualys’s report.
“Both issues are race-condition vulnerabilities. The first (CVE-2025-5054) affects Ubuntu’s core-dump handler, Apport, and the second (CVE-2025-4598) targets systemd-coredump, which is the default core-dump handler on Red Hat Enterprise Linux 9 and the recently released 10, as well as on Fedora. These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump.”
Both vulnerabilities, tracked as CVE-2025-5054 and CVE-2025-4598 (CVSS score: 4.7), are race condition issues that allow local attackers access to core dumps of crashed SUID programs by quickly replacing the process before the system finishes analyzing it.
“We discovered a vulnerability in apport (Ubuntu’s core-dump handler), and a similar vulnerability in systemd-coredump (which is the default core-dump handler on Red Hat Enterprise Linux 9 and Fedora for example): a race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (by quickly replacing the crashed SUID process with another process, before its /proc/pid/ files are analyzed by the vulnerable core-dump handler).” reads the advisory.
Qualys TRU created POCs to exploit core dumps from the unix_chkpwd process and extract password hashes from the /etc/shadow file on Linux systems.
Apport is vulnerable in Ubuntu 24.04 and all versions since 16.04 (up to version 2.33.0). systemd-coredump is affected in Fedora 40/41, RHEL 9, and RHEL 10. Debian isn’t vulnerable by default.
To prevent data leaks in crashes, set /proc/sys/fs/suid_dumpable to 0 to disables core dumps for SUID programs. It’s a temporary fix if patches aren’t available.
“The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at high risk, as attackers could extract sensitive data, like passwords, encryption keys, or customer information from core dumps. The fallout includes operational downtime, reputational damage, and potential non-compliance with regulations.” concludes the report. “To mitigate these multifaceted risks effectively, enterprises should adopt proactive security measures by prioritizing patches and mitigations, enforcing robust monitoring, and tightening access controls.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Linux)
