Attack Surface Management
,
Security Operations
Race-Condition Bugs in Ubuntu and Red Hat Tools Could Leak Sensitive Memory Data
Hackers could exploit a tool that stores crashed system data in older Linux operating systems to obtain passwords and encryption keys, say researchers.
See Also: Combatting the Vulnerability Prioritization Challenge: A Guide to DVE Intelligence
The vulnerability lies in the way certain Linux distributions, including older versions of Ubuntu, Red Hat, and Fedora, handle application crashes. Tools like Apport – Ubuntu – and systemd-coredump – Red Hat and Fedora – collect data when programs fail. A flaw in their design could allow attackers with local access to read core-dump crash logs. The logs may contain sensitive information such as password hashes and encryption keys, potentially giving hackers a foothold to escalate privileges or compromise other parts of the system.
The Qualys Threat Research Unit identified two race-condition vulnerabilities tracked as CVE-2025-5054 and CVE-2025-4598 in the core-dump frameworks. An unprivileged attacker could access data such as password hashes stored in /etc/shadow.
The newly disclosed flaws highlight how core dump handlers are an overlooked attack surface in Linux environments, said Jason Soroko, senior fellow at certificate lifecycle management provider Sectigo. “Crash handlers remain a hidden weak point in Linux hygiene,” he said.
The flaws wait for a SUID process to crash and then “race the handler” to extract password hashes from memory snapshots without triggering network-based detection. Soroko warned that the attack bypasses “every control that focuses on runtime memory protection.”
Race conditions in core-dump handlers let attackers exploit programs with root permissions such as unix_chkpwd to access memory core dumps. A file with SUID always executes with the same permission level as the user who owns the file.
Linux developers have built protections against hacking core dumps such as implementing strict process ID verification and limiting access to core SUID files. But, “systems running outdated or unpatched versions remain prime targets for vulnerabilities disclosed today by Qualys,” the company wrote.
Qualys published proof-of-concept exploits demonstrating how attackers can crash unix_chkpwd, the helper used to verify user credentials and intercept its core dump to retrieve shadow file contents, bypassing conventional permission controls.
While permanent patches to fix the vulnerability are developed, Qualys recommends immediately setting /proc/sys/fs/suid_dumpable to 0. This disables core dumps for SUID programs, mitigating the attack vector. Additionally, system administrators should limit access to /var/lib/systemd/coredump or similar directories and audit local user activity on potentially impacted systems.
Soroko said developers should recategorize crash dump management as a regulated data pipeline rather than a developer convenience. “We should move memory dump processing into isolated namespaces or containers, or disable it entirely on hosts that don’t require live debugging,” he said. Soroko also recommended encrypting dumps in transit and at rest, enforcing secure deletion after triage, and preventing SUID binaries from writing dumps.
“These changes will cost little compared to a breach triggered by password hash theft and will future-proof estates as vendors rethink core dump design,” he said.