CVE-2025-4598: Systemd-coredump: race condition that allows a local attacker to crash a suid program and gain read access to the resulting core dump
A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.
A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.
Security readout for executives and security teams
Plain-English summary
This is a local Linux confidentiality issue in systemd-coredump. A user with local access may be able to make a privileged SUID program crash, win a race, and read sensitive memory from the resulting core dump. The sources do not indicate remote exploitation or active exploitation.
Executive priority
Treat as a moderate-priority confidentiality risk. It is not described as remotely exploitable, but it can expose highly sensitive privileged memory on systems where local users or workloads are not fully trusted.
Technical view
CVE-2025-4598 is a CWE-364 race condition in systemd-coredump. The attacker needs local privileges and high-complexity timing to recycle a PID before systemd-coredump analyzes proc data, potentially exposing a SUID process core dump containing privileged memory such as shadow data.
Likely exposure
Exposure is most relevant on Linux hosts or images using affected systemd/systemd-coredump packages, especially listed Red Hat Enterprise Linux, OpenShift/RHCOS, Ceph, Discovery, and Insights proxy environments.
Exploitation context
The CVSS vector is local, high complexity, low privileges, no user interaction, and high confidentiality impact. KEV is false in the provided bundle, and no cited source in the bundle establishes active exploitation.
Researcher notes
Evidence supports a local race involving SUID crash handling and PID reuse. Avoid assuming universal impact across all distributions; downstream packaging and coredump policy may matter. The source bundle names affected Red Hat products but does not provide a universal mitigation beyond vendor advisories.
Mitigation direction
Apply vendor-provided systemd or systemd-coredump updates from applicable Red Hat errata.
Check non-Red Hat Linux distribution guidance for CVE-2025-4598 before assuming unaffected status.
Prioritize shared shell, bastion, multi-user, and container host environments.
Track vendor advisories for affected images and downstream products listed in the bundle.
Validation and detection
Inventory Linux hosts for systemd-coredump and affected systemd package versions.
Map assets to listed Red Hat products and CPEs in the CVE data.
Confirm patch status against applicable RHSA advisories or distribution advisories.
Re-run vulnerability scanning after updates and verify CVE-2025-4598 is cleared.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-364: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-364 · source CWE mapping
Signal Handler Race Condition
Signal Handler Race Condition represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.