Skip to content

Novel Linux vulnerabilities allow password hash theft

  • by
  • 2 min read

Two novel information disclosure vulnerabilities have been discovered that affect Ubuntu, Red Hat Enterprise, and Fedora Linux. If exploited, the vulnerabilities allow a local attacker to gain access to otherwise protected information.

The vulnerabilities were discovered by researchers at Qualys Threat Research Unit (TRU). They affect the apport, systemd-coredump, and core dump handlers for the aforementioned Linux distros. The bugs are as follows:

  • CVE-2025-4598: A race condition bug in systemd-coredump that lets an attacker forcibly crash an SUID process and replace it with another, non-SUID binary to gain access to the initial process coredump. Rated 4.7 out of 10 on the CVSS scale.
  • CVE-2025-5054: Another race condition in the apport package up to and including version 2.32.0. If exploited, a local attacker can gain access to sensitive information by reusing process IDs. Rated 4.7 out of 10 on the CVSS scale.

Qualys researchers have developed a working proof-of-concept (POC) exploit that can take advantage of the bugs. The cybersec firm’s report on the bugs claims that the POC exploit demonstrates how a local attacker can exploit the coredump of a crashed unix_chkpwd process, originally designed to verify user passwords, to steal password hashes from the /etc/shadow file.

This is an image of malware featured security

However, since the vulnerabilities are moderate in severity, developers aren’t rushing to release patches right away. An advisory from Red Hat notes that exploitation is highly complex and mostly depends on the hacker winning the race conditions. However, the advisory included the following command to mitigate the issue:

echo 0 > /proc/sys/fs/suid_dumpable

Running the command as a root user prevents a system from generating core dumps for SUID binaries, effectively bypassing the issue. However, Red Hat claims it’s not possible to update the systemd package as it “disables the capability of analyzing crashes for such binaries.” Amazon Linux, Gentoo, and Debian have issued similar advisories. Canocial added that the CVE-2025-5054 vulnerability has limited real-world effect on systems.

In the News: Main Street banks reports data breach of bank customer data

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of bank featured

Main Street banks reports data breach of bank customer data

This is an image of dark web hacker security

Whistleblower exposes Conti and TrickBot gang leader

This is an image of imc22 featured qualcomm

3 Adreno GPU zero-days exploited by hackers patched

How to download print google calendar? | candid. Technology

Chinese hackers are using Google Calendar to target governments

Illustration: jmiks | shutterstock

Fake AI software installers are spreading ransomware

This is an image of router vs wifi

ASUS routers hacked in mass backdoor campaign

>