The Digital Security Authority (DSA) wants to bring to your attention a vulnerability affecting multiple Linux distributions.
Technical Details
CVE-2025-4598 is a race condition vulnerability in systemd-coredump affecting multiple Linux distributions. It allows local attackers to exploit PID reuse and access core dumps of privileged (SUID) processes, potentially leaking sensitive data like password hashes or private keys. Though difficult to exploit, the impact on confidentiality is significant
The vulnerability hinges on timing—an attacker must rapidly replace a crashed SUID binary with a benign one while the system recycles the same PID. This race condition can lead to privilege information leakage without elevated rights. While the attack complexity is high and requires precise conditions, it underscores the broader risk of relying on PID-based assumptions in security-sensitive code. Patch updates have mitigated the issue by improving how core dumps are handled to prevent unauthorized access.
Affected Versions:
The following versions are affected:
• Debian:
Affected: systemd prior to 252.38-1~deb12u1 (Debian 12 "Bookworm")
• Red Hat Enterprise Linux (RHEL):
Affected versions not explicitly listed, but updates and advisories were issued for RHEL 8 and 9.
• Amazon Linux 2023:
Vulnerable until patched in recent system updates.
• Oracle Linux:
Inherits vulnerabilities from RHEL; affected similarly.
Recommendations
The Digital Security Authority recommends upgrading systemd to the latest patched version provided by your Linux distribution. The fix ensures core dumps are securely handled, preventing unauthorized access due to PID reuse. Disable systemd-coredump if not needed as an additional mitigation.
References
The information presented in this report is based on available data up to the 1st of June 2025.