LiveActive security incident?Get immediate response
CVE Record

CVE-2025-4598: Systemd-coredump: race condition that allows a local attacker to crash a suid program and gain read access to the resulting core dump

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

MediumCVSS 4.7Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a local Linux confidentiality issue in systemd-coredump. A user with local access may be able to make a privileged SUID program crash, win a race, and read sensitive memory from the resulting core dump. The sources do not indicate remote exploitation or active exploitation.

Executive priority

Treat as a moderate-priority confidentiality risk. It is not described as remotely exploitable, but it can expose highly sensitive privileged memory on systems where local users or workloads are not fully trusted.

Technical view

CVE-2025-4598 is a CWE-364 race condition in systemd-coredump. The attacker needs local privileges and high-complexity timing to recycle a PID before systemd-coredump analyzes proc data, potentially exposing a SUID process core dump containing privileged memory such as shadow data.

Likely exposure

Exposure is most relevant on Linux hosts or images using affected systemd/systemd-coredump packages, especially listed Red Hat Enterprise Linux, OpenShift/RHCOS, Ceph, Discovery, and Insights proxy environments.

Exploitation context

The CVSS vector is local, high complexity, low privileges, no user interaction, and high confidentiality impact. KEV is false in the provided bundle, and no cited source in the bundle establishes active exploitation.

Researcher notes

Evidence supports a local race involving SUID crash handling and PID reuse. Avoid assuming universal impact across all distributions; downstream packaging and coredump policy may matter. The source bundle names affected Red Hat products but does not provide a universal mitigation beyond vendor advisories.

Mitigation direction

  • Apply vendor-provided systemd or systemd-coredump updates from applicable Red Hat errata.
  • Check non-Red Hat Linux distribution guidance for CVE-2025-4598 before assuming unaffected status.
  • Prioritize shared shell, bastion, multi-user, and container host environments.
  • Track vendor advisories for affected images and downstream products listed in the bundle.

Validation and detection

  • Inventory Linux hosts for systemd-coredump and affected systemd package versions.
  • Map assets to listed Red Hat products and CPEs in the CVE data.
  • Confirm patch status against applicable RHSA advisories or distribution advisories.
  • Re-run vulnerability scanning after updates and verify CVE-2025-4598 is cleared.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-364: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-4598 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
4.7 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
3ADP providers
16Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
4.7CVSS 3.1MediumCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N13.6redhat

Vulnerability scoring details

Base CVSS 3.1 score

4.7Medium
CVSS 3.1 vector shape for CVE-2025-4598Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. Source timelineredhat

    Made public.

  3. Source timelineredhat

    Reported to Red Hat.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Unknown vendorsystemd-coredumpsystemd-coredump, 0, 253.0, 254.0, 255.0, 256.0, 257.0unaffected
Red HatRed Hat Enterprise Linux 10systemd, 0:257-23.el10affected
Red HatRed Hat Enterprise Linux 9systemd, 0:252-55.el9_7.7affected
Red HatRed Hat Enterprise Linux 9systemd, 0:252-55.el9_7.7affected
Red HatRed Hat Ceph Storage 7rhceph/rhceph-7-rhel9, 7affected
Red HatRed Hat Ceph Storage 8rhceph/rhceph-8-rhel9, 8affected
Red HatRed Hat Ceph Storage 8rhceph/rhceph-8-rhel9, 1769512383affected
Red HatRed Hat Discovery 2discovery/discovery-server-rhel9, 1767888970affected
Red HatRed Hat Discovery 2discovery/discovery-ui-rhel9, 1767904573affected
Red HatRed Hat Insights proxy 1.5insights-proxy/insights-proxy-container-rhel9, 1.5.9-1765201856affected
Red HatRed Hat Enterprise Linux 10NetworkManagerunaffected
Red HatRed Hat Enterprise Linux 10rpm-ostreeunaffected
Red HatRed Hat Enterprise Linux 7NetworkManagerunaffected
Red HatRed Hat Enterprise Linux 7systemdaffected
Red HatRed Hat Enterprise Linux 8systemdaffected
Red HatRed Hat Enterprise Linux 9NetworkManagerunaffected
Red HatRed Hat OpenShift Container Platform 4rhcosaffected
Red HatRed Hat OpenShift Container Platform 4systemdunaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-364 · source CWE mapping

Signal Handler Race Condition

Signal Handler Race Condition represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.