CVE-2025-4598

30.05.2025, 14:15

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
redhat	CNA	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 10%

Vendor	Product	Version
systemd_project	systemd	𝑥 < 252.37
systemd_project	systemd	253 ≤ 𝑥 < 253.32
systemd_project	systemd	254 ≤ 𝑥 < 254.25
systemd_project	systemd	255 ≤ 𝑥 < 255.19
systemd_project	systemd	256 ≤ 𝑥 < 256.14
systemd_project	systemd	257 ≤ 𝑥 < 257.6
redhat	openshift_container_platform	4.0
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	enterprise_linux	9.0
redhat	enterprise_linux	10.0
debian	debian_linux	11.0
debian	debian_linux	12.0
linux	linux_kernel	𝑥 < 6.16

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

systemd

bullseye	vulnerable
bullseye (security)	247.3-7+deb11u7 fixed
bookworm	vulnerable
bookworm (security)	252.38-1~deb12u1 fixed
trixie	257.7-1 fixed
forky	258~rc3-1 fixed
sid	258~rc3-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

systemd

plucky	Fixed 257.4-1ubuntu3.1 released
oracular	Fixed 256.5-2ubuntu3.3 released
noble	Fixed 255.4-1ubuntu8.8 released
jammy	Fixed 249.11-0ubuntu3.16 released
focal	Fixed 245.4-4ubuntu3.24+esm1 released
bionic	not-affected
xenial	not-affected
trusty	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-364 - Signal Handler Race Condition
The software uses a signal handler that introduces a race condition.

References

https://access.redhat.com/security/cve/CVE-2025-4598

https://bugzilla.redhat.com/show_bug.cgi?id=2369242

https://www.openwall.com/lists/oss-security/2025/05/29/3

http://www.openwall.com/lists/oss-security/2025/06/05/1

http://www.openwall.com/lists/oss-security/2025/06/05/3

https://blogs.oracle.com/linux/post/analysis-of-cve-2025-4598

https://ciq.com/blog/the-real-danger-of-systemd-coredump-cve-2025-4598/

https://www.openwall.com/lists/oss-security/2025/08/18/3