CVE-2025-4598 is a race condition vulnerability found in systemd-coredump, a component responsible for capturing core dumps of crashed processes on Linux systems. The flaw specifically affects Red Hat Enterprise Linux 10 versions 0, 253.0 through 257.0. The vulnerability arises when an attacker with low privileges forces a SUID (Set User ID) process to crash. SUID processes run with elevated privileges, typically root, regardless of the invoking user's permissions. Upon crash, systemd-coredump attempts to analyze the process's auxiliary vector (/proc/pid/auxv) to generate a core dump. However, due to a race condition, the Linux kernel may recycle the process ID (PID) before systemd-coredump completes this analysis. If the attacker can win this race, they can replace the crashed SUID process with a non-SUID binary using the recycled PID. This manipulation allows the attacker to trick systemd-coredump into associating the privileged core dump with the non-privileged process, thereby gaining access to the privileged core dump file. Since core dumps contain the memory image of the crashed process, sensitive data loaded into memory—such as password hashes from /etc/shadow—can be exposed. The vulnerability impacts confidentiality but does not affect integrity or availability. Exploitation requires local access, low privileges, and has a high attack complexity, with no user interaction needed. The CVSS 3.1 base score is 4.7 (medium severity), reflecting the limited attack surface and complexity. No known exploits have been reported in the wild at the time of publication.

For European organizations, this vulnerability poses a significant confidentiality risk, especially in environments where sensitive data is processed or stored on Linux servers running affected Red Hat Enterprise Linux 10 versions. Attackers with local access could leverage this flaw to extract privileged information such as password hashes, potentially enabling further lateral movement or privilege escalation within the network. Critical sectors including finance, healthcare, government, and telecommunications that rely heavily on Linux infrastructure could face data breaches or compliance violations if exploited. The vulnerability does not directly impact system integrity or availability, but the exposure of sensitive credentials could lead to broader security incidents. Organizations with multi-tenant environments or shared hosting on Linux servers are particularly at risk, as attackers might exploit this to access other tenants’ sensitive data. Given the medium severity and the requirement for local access, the threat is more relevant to insider threats or attackers who have already gained some foothold within the network.

1. Apply patches and updates from Red Hat as soon as they become available to address this vulnerability in systemd-coredump. 2. Restrict local user access and enforce the principle of least privilege to minimize the number of users who can execute or interact with SUID binaries. 3. Monitor system logs and audit for unusual process crashes or unexpected core dump generation, which may indicate exploitation attempts. 4. Implement mandatory access controls (e.g., SELinux or AppArmor) to limit the ability of processes to manipulate or replace binaries and core dump files. 5. Disable core dumps for SUID binaries if not required, or configure systemd-coredump to restrict access to core dump files strictly. 6. Regularly review and harden SUID binaries on systems to reduce the attack surface. 7. Employ host-based intrusion detection systems (HIDS) to detect race condition exploitation patterns or suspicious file replacements. 8. Educate system administrators about the risks of local privilege escalation and the importance of timely patching.