CVE-2025-4598

30.05.2025, 14:15

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
redhat	CNA	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Debian Releases

Debian Product

Codename

systemd

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	vulnerable
bookworm (security)	252.38-1~deb12u1 fixed
sid	257.7-1 fixed
trixie	257.7-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

systemd

plucky	Fixed 257.4-1ubuntu3.1 released
oracular	Fixed 256.5-2ubuntu3.3 released
noble	Fixed 255.4-1ubuntu8.8 released
jammy	Fixed 249.11-0ubuntu3.16 released
focal	Fixed 245.4-4ubuntu3.24+esm1 released
bionic	not-affected
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-364 - Signal Handler Race Condition
The software uses a signal handler that introduces a race condition.

Vulnerability Media Exposure

[GERMAN] Oracle Communications: Mehrere Schwachstellen
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Published: 2025-07-15T22:00:00+00:00

References

https://access.redhat.com/security/cve/CVE-2025-4598

https://bugzilla.redhat.com/show_bug.cgi?id=2369242

https://www.openwall.com/lists/oss-security/2025/05/29/3

http://www.openwall.com/lists/oss-security/2025/06/05/1

http://www.openwall.com/lists/oss-security/2025/06/05/3