Linux users worldwide are facing a new security threat as critical vulnerabilities have been discovered in core dump handlers across Ubuntu, Red Hat Enterprise Linux (RHEL), and Fedora. These flaws could allow attackers to steal sensitive data, including password hashes and encryption keys, from millions of devices, highlighting a significant oversight in system security.

Unmasking the Vulnerabilities

Security researchers at Qualys Threat Research Unit (TRU) have identified two critical race-condition vulnerabilities: CVE-2025-5054 and CVE-2025-4598. These flaws exploit the mechanisms designed to handle system crashes, specifically Apport in Ubuntu and systemd-coredump in RHEL and Fedora.

• CVE-2025-5054 (Ubuntu's Apport): This vulnerability allows a local attacker to manipulate process ID reuse and Linux namespaces. By doing so, they can substitute a privileged process with another before Apport completes its checks, redirecting sensitive memory data, such as password hashes from /etc/shadow, into an attacker-controlled namespace.

• CVE-2025-4598 (RHEL/Fedora's systemd-coredump): This flaw enables an attacker to crash a SUID (Set User ID) process and quickly replace it with a non-SUID process. This tricks systemd-coredump into granting access to the privileged core dump, potentially exposing hashed passwords and other critical information.

Both vulnerabilities leverage race conditions, allowing attackers to exploit SUID programs and gain unauthorized read access to core dumps. Proof-of-concept exploits have demonstrated how the process, a standard component for password verification, can be targeted to extract password hashes.

Affected Systems and Potential Impact

The vulnerabilities affect a wide range of Linux distributions:

• Ubuntu: All releases from 16.04 to 24.04 are vulnerable through Apport versions up to 2.33.0.

• Red Hat Enterprise Linux: RHEL 9 and 10 are exposed through systemd-coredump.

• Fedora: Fedora 40 and 41 are also impacted via systemd-coredump.

Debian systems are not vulnerable by default unless is manually installed. The potential impact of these flaws is severe, ranging from privilege escalation and lateral movement within networks to operational downtime, reputational damage, and regulatory non-compliance. The ability to extract password hashes could grant attackers a significant foothold in compromised systems.

Immediate Mitigation and Long-Term Solutions

While permanent patches are being developed, security experts recommend an immediate critical mitigation:

• Disable SUID Core Dumps: Set the /proc/sys/fs/suid_dumpable parameter to 0. This command (echo 0 > /proc/sys/fs/suid_dumpable) disables core dumps for all SUID programs, effectively neutralizing the attack vector. While this may temporarily disable some debugging capabilities for SUID programs, it is a crucial stopgap measure.

Organizations are urged to prioritize applying vendor patches as soon as they become available from Ubuntu, Red Hat, and Fedora. Additionally, system administrators should limit access to directories like and audit local user activity on potentially impacted systems.

This discovery underscores the critical importance of proactive vulnerability management and robust mitigation strategies. Core dumps, while valuable for debugging, represent a high-value target for attackers due to the sensitive data they can contain. Moving forward, developers are encouraged to rethink core dump design, potentially by processing memory dumps in isolated namespaces or containers, encrypting dumps, and enforcing secure deletion.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Critical Linux Vulnerabilities Expose Password Hashes on Millions of Linux Systems Worldwide, CybersecurityNews.

• Linux Crash Dump Flaws Expose Passwords, Encryption Keys, Bank Info Security.

• New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora, The Hacker News.

• New Linux Security Bugs Could Expose Password Hashes Across Millions of Devices, GBHackers News.