Login Sign Up

CVE-2025-4598

4.7 MEDIUM

📋 TL;DR

This vulnerability in systemd-coredump allows attackers to exploit a race condition to access privileged process coredumps. By forcing a SUID process to crash and replacing it before systemd-coredump analyzes it, attackers can read sensitive data like /etc/shadow from memory. This affects Linux systems using systemd-coredump with SUID binaries.

💻 Affected Systems

Products:
  • systemd-coredump
Versions: Specific versions not specified in CVE description, but Red Hat advisories indicate affected versions in RHEL 8, 9, and related distributions.
Operating Systems: Linux distributions using systemd (RHEL, CentOS, Fedora, Ubuntu, Debian, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Requires systemd-coredump service enabled and SUID binaries present on the system.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Linux by Oracle

View all CVEs affecting Linux →

Linux by Oracle

View all CVEs affecting Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Systemd by Systemd Project

View all CVEs affecting Systemd →

Systemd by Systemd Project

View all CVEs affecting Systemd →

Systemd by Systemd Project

View all CVEs affecting Systemd →

Systemd by Systemd Project

View all CVEs affecting Systemd →

Systemd by Systemd Project

View all CVEs affecting Systemd →

Systemd by Systemd Project

View all CVEs affecting Systemd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains root-level access to sensitive system files like /etc/shadow, potentially leading to full system compromise and credential theft.

🟠

Likely Case

Local attacker reads privileged memory contents, potentially exposing sensitive configuration files or credentials loaded by SUID processes.

🟢

If Mitigated

With proper patching and security controls, impact is limited to denial of service from forced crashes.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring shell access to the target system.
🏢 Internal Only: MEDIUM - Internal attackers with shell access could exploit this to escalate privileges and access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires winning a race condition and local shell access. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check specific distribution advisories (RHEL 8: RHSA-2025:22660, RHEL 9: RHSA-2025:22868, etc.)

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:22660

Restart Required: Yes

Instructions:

1. Update systemd package using your distribution's package manager. 2. For RHEL/CentOS: 'sudo yum update systemd'. 3. For Ubuntu/Debian: 'sudo apt update && sudo apt upgrade systemd'. 4. Restart affected services or reboot system.

🔧 Temporary Workarounds

Disable systemd-coredump

linux

Temporarily disable coredump collection to prevent exploitation

sudo systemctl stop systemd-coredump
sudo systemctl disable systemd-coredump
sudo systemctl mask systemd-coredump

Limit coredump size

linux

Set coredump size to 0 to prevent coredump file creation

echo 'Storage=none' | sudo tee -a /etc/systemd/coredump.conf
echo 'ProcessSizeMax=0' | sudo tee -a /etc/systemd/coredump.conf
sudo systemctl restart systemd-coredump

🧯 If You Can't Patch

  • Implement strict access controls to limit who can execute SUID binaries
  • Monitor for abnormal process crashes and coredump file access patterns

🔍 How to Verify

Check if Vulnerable:

Check systemd version: 'systemctl --version' and compare against patched versions in vendor advisories

Check Version:

systemctl --version | head -1

Verify Fix Applied:

Verify systemd package version after update: 'rpm -q systemd' (RHEL) or 'dpkg -l systemd' (Debian/Ubuntu)

📡 Detection & Monitoring

Log Indicators:

  • Multiple SUID process crashes in short timeframes
  • Unauthorized access to /var/lib/systemd/coredump/
  • Abnormal coredump file creation patterns

Network Indicators:

  • None - this is a local attack

SIEM Query:

source="systemd-coredump" AND (event="Process.*coredump" OR event="Core.*dumped") | stats count by pid,user | where count > threshold

📊 Metadata

CVE ID: CVE-2025-4598
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-364
EPSS Score: 0.06% exploit probability (18.2th percentile)
Published: May 30, 2025
Last Updated: February 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4598, you might also want to check these:

CVE-2024-6409 7.0

A race condition vulnerability in OpenSSH's sshd server allows remote attackers to potentially execu...

Same vulnerability type (CWE-364)