systemd-coredump: SUID process race condition in systemd-coredump (CVE-2025-4598) #shorts

Summary

In today’s episode, we’re breaking down CVE-2025-4598, a critical local information disclosure flaw in systemd-coredump. Discovered by Qualys TRU and patched in Fedora 41 and Red Hat Enterprise Linux releases, this vulnerability lets a local attacker exploit a race condition to read privileged process memory, including sensitive files like /etc/shadow.

Product details

CVE-2025-4598 affects the systemd-coredump component in multiple distributions: Red Hat Enterprise Linux 7, 8, 9, and 10, Red Hat OpenShift Container Platform 4, and Fedora 41. All versions prior to the June 2025 security updates are vulnerable to this flaw.

Vulnerability type summary

The root cause is a signal handler race condition in systemd-coredump. It’s classified as a local information disclosure vulnerability because an unprivileged user can trigger a privileged process crash and manipulate the core dump mechanism to gain access to sensitive data loaded in memory.

Details of the vulnerability

Systemd-coredump normally captures crash dumps for SUID processes under root privileges. An attacker can force a target SUID binary to crash and rapidly restart a non-SUID process reusing the same PID. If this race wins before systemd-coredump inspects /proc/<pid>/auxv, the service writes a core dump with root privileges to a file the attacker can read. That dump may contain confidential data such as password hashes or other secrets from memory. No remote access is required—only local code execution to trigger the crash and replace the binary.

Conclusion

CVE-2025-4598 poses a serious confidentiality risk on any system running unpatched systemd-coredump. Administrators should apply the Fedora 41 update or the June 2025 Red Hat Enterprise Linux security advisory immediately. Regularly updating packages and following vendor security bulletins remains the best defense against race-condition exploits like this one.

Watch the full video on YouTube: CVE-2025-4598

Remediation and exploitation details

This chain involves the following actors

  • Local attacker: Nonprivileged user who can execute programs and signal processes
  • System administrator: Maintains system packages and monitors service health

This following systems are involved

  • systemd-coredump (Collects and writes crash dump files when a process fails): Crash handler that is vulnerable to identifier reuse
  • Linux kernel (Schedules processes and recycles process identifiers): Reassigns a terminated process identifier to exploit race window
  • Privileged set-user-identifier binary (Runs with elevated permissions to access restricted data): Victim process whose crash dump contains sensitive information

Attack entry point

  • Local user session: Shell access that allows execution of binaries and sending signals to other processes

Remediation actions

System administrator
Install the vendor update for systemd that includes the race-condition fix
systemd-coredump
System administrator
Verify the systemd version and restart the crash handler service after upgrade
systemd-coredump

Exploitation actions

Process inspection

Local attacker
Locate a target set-user-identifier binary on the system
Local file system
Examples:
  • ls -l /usr/bin/su

File duplication

Local attacker
Prepare a nonprivileged binary with the same owner and group as the target binary
Local file system
Examples:
  • cp /bin/true ./exploit_true && chown root:root exploit_true

Forced termination

Local attacker
Trigger a crash in the target binary in a tight loop by sending a crash signal
Privileged set-user-identifier binary
Examples:
  • while kill -11 <target_pid>; do :; done

Identifier reuse race

Local attacker
Immediately launch the prepared nonprivileged binary to obtain the same process identifier
Linux kernel / systemd-coredump
Examples:
  • ./exploit_true &

Sensitive data extraction

Local attacker
Read the core dump file produced under the privileged crash handler directory
systemd-coredump
Examples:
  • cat /var/lib/systemd/coredump/core.su.* | strings | grep shadow

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-4598
Description
A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.
Provider
redhat
CWE / problem types
Signal Handler Race Condition
Affected Software Versions
Red Hat:Red Hat Enterprise Linux 10:None,Red Hat:Red Hat Enterprise Linux 10:None,Red Hat:Red Hat Enterprise Linux 10:None,Red Hat:Red Hat Enterprise Linux 7:None,Red Hat:Red Hat Enterprise Linux 7:None,Red Hat:Red Hat Enterprise Linux 8:None,Red Hat:Red Hat Enterprise Linux 9:None,Red Hat:Red Hat Enterprise Linux 9:None,Red Hat:Red Hat OpenShift Container Platform 4:None,Red Hat:Red Hat OpenShift Container Platform 4:None
Date Published
2025-05-30T13:13:26.049Z
Last Updated
2025-06-17T17:37:48.690Z