Linux Security Flaw Discovered: Password Hash Theft via Core Dumps in Major Distributions
A new moderate severity security flaw has been discovered in Linux distributions including Ubuntu, Red Hat Enterprise Linux, and Fedora, allowing local attackers to exploit race conditions in core dump handlers to steal password hashes from the /etc/shadow file. Security researchers from Qualys Threat Research Unit have discovered two race condition vulnerabilities in core dump handlers, apport and systemd-coredump. These flaws, tracked as CVE-2025-5054 and CVE-2025-4598, could allow a local attacker to exploit the system by gaining access to sensitive information contained in core dumps. According to Qualys, the vulnerabilities could be used to steal password hashes stored in the /etc/shadow file by exploiting a crashed unix_chkpwd process.
Red Hat has rated the more severe of the two vulnerabilities, CVE-2025-4598, as Moderate in severity, due to the high complexity required to successfully exploit it. Qualys has also developed proof-of-concept code to demonstrate the potential impact of these vulnerabilities. Canonical software security engineer Octavio Galland has explained the issue on Canonical’s blog, stating that a local attacker must manage to induce a crash in a privileged process and quickly replace it with another one within a mount and pid namespace. This would allow apport to forward the core dump, which might contain sensitive information belonging to the original, privileged process, into the namespace.
Canonical’s security team has released updates for the apport package for all affected Ubuntu releases. They recommend users to upgrade all packages, as the unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service applies new security updates every 24 hours automatically, ensuring that the patches will be applied within 24 hours of being available. Gentoo, Amazon Linux, and Debian have also issued advisories, though Debian systems are not affected by CVE-2025-4598 by default due to the absence of default installation of systemd-coredump package.
System administrators and IT professionals are advised to monitor for updates and ensure systems are patched promptly to mitigate the risk of potential password theft. The security implications of this vulnerability highlight the importance of maintaining up-to-date software and implementing robust security practices to protect against such threats. While the immediate financial impact is not expected, the long-term consequences could be significant for organizations relying on these Linux distributions for critical operations.