4.7 CVE-2025-4598

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.
https://nvd.nist.gov/vuln/detail/CVE-2025-4598

Categories

CWE-364 : Signal Handler Race Condition
The product uses a signal handler that introduces a race condition. Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Design signal handlers to only set flags, rather than perform complex functionality. These flags can then be checked and acted upon within the main program loop. Only use reentrant functions within signal handlers. Also, use validation to ensure that state is consistent while performing asynchronous actions that affect the state of execution. Signal handler does not disable other signal handlers, allowing it to be interrupted, causing other functionality to access files/etc. with raised privileges Attacker can send a signal while another signal handler is already running, leading to crash or execution with root privileges unsafe calls to library functions from signal handler SIGURG can be used to remotely interrupt signal handler; other variants exist SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.

References

 

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*		< 252.37
cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*	>= 253	< 253.32
cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*	>= 254	< 254.25
cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*	>= 255	< 255.19
cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*	>= 256	< 256.14
cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*	>= 257	< 257.6
Configuration 2
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
Configuration 3
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
Configuration 4
cpe:2.3:o:oracle:linux:8:-:*:*:*:*:*:*
cpe:2.3:o:oracle:linux:9:-:*:*:*:*:*:*
Configuration 5
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*		< 6.16

---

REMEDIATION

---

---

EXPLOITS

---

Exploit-db.com

id	description	date
No known exploits

---

POC Github

Url
No known exploits

---

Other Nist (github, ...)

Url
https://blogs.oracle.com/linux/post/analysis-of-cve-2025-4598
https://ciq.com/blog/the-real-danger-of-systemd-coredump-cve-2025-4598/

---

CAPEC

---

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

---