\nThe Qualys Threat Research Unit (TRU) has discovered two local information-disclosure vulnerabilities in Apport and systemd-coredump.<\/p>\n
Both issues are race-condition vulnerabilities. The first (CVE-2025-5054) affects Ubuntu’s core-dump handler, **Apport** , and the second (CVE-2025-4598) targets **systemd-coredump** , which is the default core-dump handler on Red Hat Enterprise Linux 9 and the recently released 10, as well as on Fedora. These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump.<\/p>\n
Qualys TRU has developed proofs of concept (POCs) for certain operating systems for these vulnerabilities. These POCs demonstrate how a local attacker can exploit the coredump of a crashed unix_chkpwd process (designed to verify the validity of a user’s password)\u2014installed by default on most Linux distributions\u2014to obtain password hashes from the \/etc\/shadow file.<\/p>\n
## **What is systemd-coredump and Apport (Crash Reporting on Linux)?**<\/p>\n
Let’s examine these frameworks, the potential impact of the vulnerabilities detected, and steps to mitigate the risk posed by these vulnerabilities.<\/p>\n
### **systemd-coredump**<\/p>\n
systemd-coredump automatically captures \u201ccore dumps\u201d (snapshots of a process\u2019s memory) whenever a program crashes. It can store these dumps or keep them in the system journal, making it easy to inspect them later with debugging tools such as GDB. While immensely helpful for diagnosing software problems, core dumps can contain sensitive information, so access to the dump files is restricted to root by default, and administrators can further tune what data gets recorded. Most systemd-based distributions employed systemd-coredump including Fedora, RHEL 8+, CentOS, SUSE, openSUSE, Arch Linux, and others.<\/p>\n
### **Apport**<\/p>\n
Apport is Ubuntu\u2019s built-in crash-reporting framework (and is used in Ubuntu derivatives). When an application crashes, it gathers relevant details\u2014stack traces, log files, package information\u2014and bundles them into a report for developers to analyze. These reports may include personal or system data.<\/p>\n
### **Potential Impact**<\/p>\n
Tools like Apport and systemd-coredump, designed to handle crash reporting and core dumps in Linux systems, have historically been plagued by vulnerabilities that expose enterprises to serious security risks. While modern mitigations such as directing core dumps to secure locations, implementing strict PID validation, and limiting access to SUID\/SGID core files have reduced these risks, systems running outdated or unpatched versions remain prime targets for vulnerabilities disclosed today by Qualys TRU.<\/p>\n
The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at high risk, as attackers could extract sensitive data, like passwords, encryption keys, or customer information from core dumps. The fallout includes operational downtime, reputational damage, and potential non-compliance with regulations. To mitigate these multifaceted risks effectively, enterprises should adopt proactive security measures by prioritizing patches and mitigations, enforcing robust monitoring, and tightening access controls.<\/p>\n
### **Affected Versions**<\/p>\n
For Apport, Ubuntu 24.04 is vulnerable; versions of \u201cApport\u201d up to 2.33.0 are affected, and every Ubuntu release since 16.04 is impacted.<\/p>\n
For systemd-coredump, Fedora 40\/41, and Red Hat Enterprise Linux 9, and the recently released RHEL 10 are vulnerable.<\/p>\n
Debian systems aren\u2019t vulnerable by default, since they don\u2019t include any core-dump handler unless the user manually installs the systemd-coredump package.<\/p>\n
### **Steps to Mitigate Risk**<\/p>\n
The \/proc\/sys\/fs\/suid_dumpable parameter controls whether SUID programs can produce core dumps on crash. If left enabled, an attacker could trigger a crash to dump sensitive in-memory data (password hashes, keys) to disk. To mitigate these vulnerabilities, setting it to 0 disables core dumps for all SUID programs, prevents all SUID programs and root daemons that drop privileges from being analyzed in case of a crash, but it can act as a temporary fix if the vulnerable core-dump handler itself cannot be patched immediately. This modification will disable the interpreter scanning feature.<\/p>\n
`To disable core dumps for SUID, set \/proc\/sys\/fs\/suid_dumpable to 0 by using root privileges.`<\/p>\n
For more details on how to leverage Qualys TruRisk Eliminate to mitigate these risks, see the Leveraging TruRisk Eliminate section below. <\/p>\n
## T**echnical Details**<\/p>\n
You can find the technical details of these vulnerabilities at: https:\/\/www.qualys.com\/2025\/05\/29\/apport-coredump\/apport-coredump.txt<\/p>\n
## **Qualys QID Coverage**<\/p>\n
Qualys is releasing the QIDs in the table below as they become available.<\/p>\n
**QID**| **Title**| **Version**| **Supported On**
—|—|—|—
383314| Apport and systemd-coredump Information Disclosure Vulnerabilities| Available by the end of the day| Scanner + Agent <\/p>\n
## **Leverage Qualys TruRisk Eliminate to Mitigate These Risks**<\/p>\n
To help organizations address these risks quickly, customers leveraging the Qualys Cloud Agent can use the TruRisk Eliminate module. This module is fully integrated with the VM module to efficiently assign all of the IG QIDs to the team responsible for those affected servers. It allows the team to test and deploy the mitigation directly from the Qualys console, leveraging the Qualys agent. There is nothing new to install.<\/p>\n
The same researchers who uncovered these vulnerabilities have proactively developed and thoroughly tested those mitigation scripts, ensuring organizations can rapidly and effectively neutralize this new threat.<\/p>\n
**If you are not subscribed to the TruRisk Eliminate module, you can visit here to start a trial or connect with your Technical Account Manager (TAM) to enable a trial for you.**<\/p>\n
Once the TruRisk Eliminate module is enabled, you can address this risk by visiting **VMDR and Vulnerabilities tab** , and select all the vulnerabilities on the assets you would like to mitigate this vulnerability on, and use _Actions- > View Risk Eliminate_:<\/p>\n
<\/p>\n
Use the _Mitigate Now_ button or _Multi-select Vulnerability_ and select Actions _- > Create Mitigation Job _to start a mitigation job that will apply the mitigation to your assets.<\/p>\n
<\/p>\n
Note: While this feature can rapidly reduce the risk, using it broadly may introduce operational risks or lead to undesired application behavior. We recommend thorough testing in a controlled environment to confirm compatibility and maintain system stability.<\/p>\n
This scenario underscores why mitigation should be an essential component of any comprehensive cybersecurity strategy. It provides a critical layer of defense precisely when patches are absent.<\/p>\n
* * *<\/p>\n
**Looking for an immediate, actionable path to risk reduction in the face of these vulnerabilities?**<\/p>\n
Try TruRisk Eliminate Today<\/p>\n
* * *\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598 Update ID QUALYSBLOG:E49D7021C32E482A9A643C827827D6CB Type…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,13,33,120,7,11,5],"class_list":["post-6110","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-news","tag-none","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=6110\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598 Update ID QUALYSBLOG:E49D7021C32E482A9A643C827827D6CB Type...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=6110\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-29T13:35:33+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6110#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6110\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598\",\"datePublished\":\"2025-05-29T13:35:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6110\"},\"wordCount\":1146,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"qualysblog\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6110#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6110\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6110\",\"name\":\"Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-29T13:35:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6110#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6110\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6110#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=6110","og_locale":"en_US","og_type":"article","og_title":"Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598 - zero redgem","og_description":"Security Update News Update Information Title Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598 Update ID QUALYSBLOG:E49D7021C32E482A9A643C827827D6CB Type...","og_url":"https:\/\/zero.redgem.net\/?p=6110","og_site_name":"zero redgem","article_published_time":"2025-05-29T13:35:33+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=6110#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=6110"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598","datePublished":"2025-05-29T13:35:33+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=6110"},"wordCount":1146,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","qualysblog","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=6110#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=6110","url":"https:\/\/zero.redgem.net\/?p=6110","name":"Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-29T13:35:33+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=6110#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=6110"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=6110#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6110"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6110\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}