CVE-2025-4598 is a vulnerability discovered in systemd-coredump, a component responsible for capturing and storing core dumps of crashed processes on Linux systems. The flaw arises from a race condition in the signal handler logic when dealing with SUID (Set User ID) processes. SUID binaries run with elevated privileges, typically root, regardless of the invoking user's permissions. The vulnerability allows a local attacker with low privileges to force a SUID process to crash and then quickly replace the crashed process with a non-SUID binary before systemd-coredump completes its analysis of the /proc/pid/auxv file. This race condition can be exploited to trick systemd-coredump into associating the privileged coredump with the attacker's non-privileged process, thereby granting unauthorized access to the original SUID process's coredump. Since coredumps can contain sensitive information loaded into memory by the original process, such as password hashes from /etc/shadow, this leads to a confidentiality breach. The attack requires local access and has high complexity due to the need to win the race condition. The vulnerability affects multiple versions of systemd-coredump up to version 257.0 on Red Hat Enterprise Linux 10. The CVSS 3.1 base score is 4.7, reflecting medium severity, with attack vector local, attack complexity high, privileges required low, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability.

The primary impact of CVE-2025-4598 is the unauthorized disclosure of sensitive information from privileged SUID processes through their coredumps. This can lead to exposure of critical data such as password hashes, cryptographic keys, or other confidential information loaded into memory by these processes. Organizations relying on Red Hat Enterprise Linux 10 with vulnerable systemd-coredump versions risk confidentiality breaches that could facilitate further attacks, including privilege escalation or lateral movement within networks. Although the vulnerability does not affect system integrity or availability directly, the leakage of sensitive data can undermine trust and compliance, especially in regulated industries. The requirement for local access limits remote exploitation, but insider threats or attackers with initial footholds on affected systems can leverage this flaw. The high attack complexity reduces the likelihood of widespread exploitation, but targeted attacks against high-value assets remain a concern.

To mitigate CVE-2025-4598, organizations should promptly apply patches or updates provided by Red Hat for systemd-coredump to versions beyond 257.0 once available. Until patches are deployed, administrators should restrict local user access to systems running vulnerable versions, especially limiting access to SUID binaries and sensitive directories such as /proc and /var/lib/systemd/coredump. Implementing strict file permissions and access controls on coredump storage locations can reduce unauthorized read access. Additionally, disabling core dumps for SUID processes or configuring systemd-coredump to exclude sensitive processes from dumping can limit exposure. Monitoring system logs for unusual crashes or suspicious activity related to SUID processes may help detect exploitation attempts. Employing mandatory access control frameworks like SELinux or AppArmor to confine systemd-coredump's privileges can further reduce risk. Finally, educating system administrators about the vulnerability and enforcing least privilege principles will help minimize attack surface.