CVE-2025-4598 | THREATINT

Description

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

PUBLISHED Reserved 2025-05-12 | Published 2025-05-30 | Updated 2026-06-02 | Assigner redhat

MEDIUM: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

Signal Handler Race Condition

Product status

Default status

unaffected

Any version before 252.37

affected

253.0 (semver) before 253.32

affected

254.0 (semver) before 254.25

affected

255.0 (semver) before 255.19

affected

256.0 (semver) before 256.14

affected

257.0 (semver) before 257.6

affected

Default status

affected

0:257-23.el10 (rpm) before *

unaffected

Default status

affected

0:252-55.el9_7.7 (rpm) before *

unaffected

Default status

affected

0:252-55.el9_7.7 (rpm) before *

unaffected

Default status

affected

7 (rpm) before *

unaffected

Default status

affected

8 (rpm) before *

unaffected

Default status

affected

1769512383 (rpm) before *

unaffected

Default status

affected

1767888970 (rpm) before *

unaffected

Default status

affected

1767904573 (rpm) before *

unaffected

Default status

affected

1.5.9-1765201856 (rpm) before *

unaffected

Default status

unaffected

Default status

unaffected

Default status

unaffected

Default status

affected

Default status

affected

Default status

unaffected

Default status

affected

Default status

unaffected

Timeline

2025-05-29:	Reported to Red Hat.
2025-05-29:	Made public.

References

www.openwall.com/lists/oss-security/2025/06/05/1

www.openwall.com/lists/oss-security/2025/06/05/3

www.openwall.com/lists/oss-security/2025/08/18/3

blogs.oracle.com/linux/post/analysis-of-cve-2025-4598

ciq.com/...he-real-danger-of-systemd-coredump-cve-2025-4598/

lists.debian.org/debian-lts-announce/2025/07/msg00022.html

seclists.org/fulldisclosure/2025/Jun/9

www.openwall.com/lists/oss-security/2025/08/18/3

cert-portal.siemens.com/productcert/html/ssa-082556.html

access.redhat.com/errata/RHSA-2025:22660 (RHSA-2025:22660) vendor-advisory

access.redhat.com/errata/RHSA-2025:22868 (RHSA-2025:22868) vendor-advisory

access.redhat.com/errata/RHSA-2025:23227 (RHSA-2025:23227) vendor-advisory

access.redhat.com/errata/RHSA-2025:23234 (RHSA-2025:23234) vendor-advisory

access.redhat.com/errata/RHSA-2026:0414 (RHSA-2026:0414) vendor-advisory

access.redhat.com/errata/RHSA-2026:1652 (RHSA-2026:1652) vendor-advisory

access.redhat.com/errata/RHSA-2026:18153 (RHSA-2026:18153) vendor-advisory

access.redhat.com/security/cve/CVE-2025-4598 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2369242 (RHBZ#2369242) issue-tracking

www.openwall.com/lists/oss-security/2025/05/29/3

cve.org (CVE-2025-4598)

nvd.nist.gov (CVE-2025-4598)

Download JSON

help @ threatint.eu