Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities in Apport and systemd-coredump: CVE-2025-5054 and CVE-2025-4598
Last updated on: May 30, 2025
The Qualys Threat Research Unit (TRU) has discovered two local information-disclosure vulnerabilities in Apport and systemd-coredump.
Both issues are race-condition vulnerabilities. The first (CVE-2025-5054) affects Ubuntu’s core-dump handler, Apport, and the second (CVE-2025-4598) targets systemd-coredump, which is the default core-dump handler on Red Hat Enterprise Linux 9 and the recently released 10, as well as on Fedora. These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump.
Qualys TRU has developed proofs of concept (POCs) for certain operating systems for these vulnerabilities. These POCs demonstrate how a local attacker can exploit the coredump of a crashed unix_chkpwd process (designed to verify the validity of a user’s password)—installed by default on most Linux distributions—to obtain password hashes from the /etc/shadow file.
What is systemd-coredump and Apport (Crash Reporting on Linux)?
Let’s examine these frameworks, the potential impact of the vulnerabilities detected, and steps to mitigate the risk posed by these vulnerabilities.
systemd-coredump
systemd-coredump automatically captures “core dumps” (snapshots of a process’s memory) whenever a program crashes. It can store these dumps or keep them in the system journal, making it easy to inspect them later with debugging tools such as GDB. While immensely helpful for diagnosing software problems, core dumps can contain sensitive information, so access to the dump files is restricted to root by default, and administrators can further tune what data gets recorded. Most systemd-based distributions employed systemd-coredump including Fedora, RHEL 8+, CentOS, SUSE, openSUSE, Arch Linux, and others.
Apport
Apport is Ubuntu’s built-in crash-reporting framework (and is used in Ubuntu derivatives). When an application crashes, it gathers relevant details—stack traces, log files, package information—and bundles them into a report for developers to analyze. These reports may include personal or system data.
Potential Impact
Tools like Apport and systemd-coredump, designed to handle crash reporting and core dumps in Linux systems, have historically been plagued by vulnerabilities that expose enterprises to serious security risks. While modern mitigations such as directing core dumps to secure locations, implementing strict PID validation, and limiting access to SUID/SGID core files have reduced these risks, systems running outdated or unpatched versions remain prime targets for vulnerabilities disclosed today by Qualys TRU.
The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at high risk, as attackers could extract sensitive data, like passwords, encryption keys, or customer information from core dumps. The fallout includes operational downtime, reputational damage, and potential non-compliance with regulations. To mitigate these multifaceted risks effectively, enterprises should adopt proactive security measures by prioritizing patches and mitigations, enforcing robust monitoring, and tightening access controls.
Affected Versions
For Apport, Ubuntu 24.04 is vulnerable; versions of “Apport” up to 2.33.0 are affected, and every Ubuntu release since 16.04 is impacted.
For systemd-coredump, Fedora 40/41, and Red Hat Enterprise Linux 9, and the recently released RHEL 10 are vulnerable.
Debian systems aren’t vulnerable by default, since they don’t include any core-dump handler unless the user manually installs the systemd-coredump package.
Steps to Mitigate Risk
The /proc/sys/fs/suid_dumpable parameter controls whether SUID programs can produce core dumps on crash. If left enabled, an attacker could trigger a crash to dump sensitive in-memory data (password hashes, keys) to disk. To mitigate these vulnerabilities, setting it to 0 disables core dumps for all SUID programs, prevents all SUID programs and root daemons that drop privileges from being analyzed in case of a crash, but it can act as a temporary fix if the vulnerable core-dump handler itself cannot be patched immediately. This modification will disable the interpreter scanning feature.
To disable core dumps for SUID, set /proc/sys/fs/suid_dumpable to 0 by using root privileges.
For more details on how to leverage Qualys TruRisk™ Eliminate to mitigate these risks, see the Leveraging TruRisk™ Eliminate section below.
Technical Details
You can find the technical details of these vulnerabilities at: https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt
Qualys QID Coverage
Qualys is releasing the QIDs in the table below as they become available.
| QID | Title | Version | Supported On |
| 383314 | Apport and systemd-coredump Information Disclosure Vulnerabilities | Available by the end of the day | Scanner + Agent |
Leverage Qualys TruRisk™ Eliminate to Mitigate These Risks
To help organizations address these risks quickly, customers leveraging the Qualys Cloud Agent can use the TruRisk™ Eliminate module. This module is fully integrated with the VM module to efficiently assign all of the IG QIDs to the team responsible for those affected servers. It allows the team to test and deploy the mitigation directly from the Qualys console, leveraging the Qualys agent. There is nothing new to install.
The same researchers who uncovered these vulnerabilities have proactively developed and thoroughly tested those mitigation scripts, ensuring organizations can rapidly and effectively neutralize this new threat.
If you are not subscribed to the TruRisk Eliminate module, you can visit here to start a trial or connect with your Technical Account Manager (TAM) to enable a trial for you.
Once the TruRisk™ Eliminate module is enabled, you can address this risk by visiting VMDR and Vulnerabilities tab, and select all the vulnerabilities on the assets you would like to mitigate this vulnerability on, and use Actions-> View Risk Eliminate:
Use the Mitigate Now button or Multi-select Vulnerability and select Actions -> Create Mitigation Job to start a mitigation job that will apply the mitigation to your assets.
Note: While this feature can rapidly reduce the risk, using it broadly may introduce operational risks or lead to undesired application behavior. We recommend thorough testing in a controlled environment to confirm compatibility and maintain system stability.
This scenario underscores why mitigation should be an essential component of any comprehensive cybersecurity strategy. It provides a critical layer of defense precisely when patches are absent.
Looking for an immediate, actionable path to risk reduction in the face of these vulnerabilities?