CVE-2025-4598: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in systemd-coredump (CVE-2025-4598) that allows a local attacker to exploit a race condition in the core dump handling process. The flaw was discovered on May 29, 2025, affecting systemd-coredump implementations in various Linux distributions including Red Hat Enterprise Linux 9 and Fedora. This vulnerability enables attackers to force a SUID process to crash and replace it with a non-SUID binary, thereby gaining access to the original's privileged process coredump and potentially exposing sensitive data such as /etc/shadow content (Qualys Advisory).

The vulnerability exploits a race condition in systemd-coredump's process analysis. The attack involves crashing a SUID process and quickly replacing it with a non-SUID process before systemd-coredump can analyze the /proc/pid/auxv file. The vulnerability has been assigned a CVSS v3.1 score of 4.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access requirement and high attack complexity but potential for significant confidentiality impact (Red Hat CVE, NVD).

The vulnerability's impact is primarily focused on data confidentiality. When successfully exploited, attackers can access sensitive information from core dumps, including password hashes from /etc/shadow, private keys, and other privileged data loaded by the original SUID process. Additionally, attackers can potentially access memory contents of root daemons, obtaining information such as SSH host keys, other users' crontabs, ASLR addresses, and stack canaries (Hacker News, Qualys Advisory).

As a temporary mitigation, systems can be protected by setting /proc/sys/fs/suiddumpable to 0 (SUIDDUMPDISABLE). This prevents all SUID programs and root daemons that drop privileges from being analyzed during crashes. While this mitigates the vulnerability, it also disables the capability of analyzing crashes for such binaries. For a permanent fix, the vulnerability requires updating the systemd-coredump package to include proper handling of the kernel's per-process dumpable flag and implementation of the new %F specifier in /proc/sys/kernel/corepattern (Qualys Advisory).

Red Hat has rated the vulnerability as Moderate severity due to the high complexity required for exploitation, while acknowledging its potential impact. The security community has noted that despite the moderate CVSS score, the vulnerability's real-world impact could be significant as it provides a potential step in local privilege escalation attacks (Hacker News, OSS Security).