CVE-2025-4598 is a race condition vulnerability in the systemd-coredump component of Red Hat Enterprise Linux 10, specifically affecting versions 0 and 253.0 through 257.0. The flaw arises when an attacker forces a SUID (Set User ID) process to crash, triggering systemd-coredump to generate a coredump file for the crashed process. Due to a race condition involving the Linux kernel recycling the process ID (PID) before systemd-coredump reads the /proc/pid/auxv file, an attacker can cause systemd-coredump to associate the coredump with a non-SUID process that reuses the PID. This allows the attacker to access the privileged coredump of the original SUID process. Since SUID processes run with elevated privileges, their memory may contain sensitive information such as the contents of /etc/shadow, which stores password hashes. Exploiting this vulnerability requires local access and the ability to crash a SUID process, but does not require user interaction. The vulnerability impacts confidentiality by exposing sensitive data in memory but does not affect integrity or availability. The CVSS v3.1 score is 4.7 (medium severity), reflecting the complexity of exploitation (high attack complexity), the need for low privileges, and the lack of user interaction. No public exploits are known at this time. The vulnerability is specific to Red Hat Enterprise Linux 10 and its systemd-coredump versions listed, making it critical for organizations using these systems to address.

For European organizations, this vulnerability poses a significant confidentiality risk, particularly for entities handling sensitive or regulated data such as financial institutions, healthcare providers, and government agencies. If exploited, attackers could extract sensitive credentials or other confidential information from privileged processes, potentially enabling further lateral movement or privilege escalation within the network. This could lead to data breaches, compliance violations (e.g., GDPR), and reputational damage. The requirement for local access limits remote exploitation but insider threats or attackers who have already gained limited footholds could leverage this flaw to escalate privileges or access sensitive data. Organizations relying on Red Hat Enterprise Linux 10 in critical infrastructure or data centers are particularly at risk, as the exposure of privileged process memory could undermine system security and trust. The medium severity rating suggests the impact is serious but exploitation complexity and required conditions reduce the immediate risk compared to more critical vulnerabilities.

1. Apply patches and updates from Red Hat as soon as they become available for systemd-coredump and related components to eliminate the race condition. 2. Restrict local user permissions to prevent unauthorized users from crashing SUID processes or accessing coredump files. 3. Configure systemd-coredump to limit or disable coredump generation for SUID processes where feasible, or restrict access to coredump files using strict file permissions and access control lists (ACLs). 4. Monitor system logs for unusual crashes of SUID binaries and investigate potential exploitation attempts. 5. Employ mandatory access control frameworks such as SELinux or AppArmor to enforce strict process isolation and limit the ability of unprivileged users to interfere with privileged processes. 6. Conduct regular audits of SUID binaries and minimize their use to reduce the attack surface. 7. Implement endpoint detection and response (EDR) solutions to detect anomalous behavior related to process crashes or unauthorized file access. 8. Educate system administrators and security teams about this vulnerability and the importance of controlling local access and process privileges.