{"id":"CVE-2025-4598","details":"A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.\n\nA SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.","modified":"2026-04-16T04:36:23.058510827Z","published":"2025-05-30T14:15:23.557Z","related":["ALSA-2025:22660","CGA-v269-r344-q5c6","SUSE-SU-2025:02019-1","SUSE-SU-2025:02243-1","SUSE-SU-2025:02244-1","SUSE-SU-2025:02675-1","SUSE-SU-2025:20405-1","SUSE-SU-2025:20416-1","SUSE-SU-2025:20554-1","SUSE-SU-2025:20597-1","openSUSE-SU-2025:15299-1"],"references":[{"type":"WEB","url":"http://seclists.org/fulldisclosure/2025/Jun/9"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00022.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/08/18/3"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:22660"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:22868"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:23227"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2025/08/18/3"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:0414"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:23234"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:1652"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2025-4598"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2369242"},{"type":"ARTICLE","url":"https://www.openwall.com/lists/oss-security/2025/05/29/3"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2025/06/05/1"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2025/06/05/3"},{"type":"EVIDENCE","url":"https://ciq.com/blog/the-real-danger-of-systemd-coredump-cve-2025-4598/"},{"type":"EVIDENCE","url":"https://blogs.oracle.com/linux/post/analysis-of-cve-2025-4598"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/systemd/systemd","events":[{"introduced":"5c79cdec10a547a866764a66e1e14898112a00cd"},{"fixed":"dd4db7e0409214863ea0427eb831896cb4c66840"},{"introduced":"70bae7648f2c18010187c9cf20093155eaa26029"},{"fixed":"00a12c234e2506f5cab683460199575f13c454db"},{"introduced":"0"},{"last_affected":"cff89041ae69dfeef957b25797b0af5dfcf657fb"},{"introduced":"0"},{"last_affected":"a9c72fe933efc9c77580fb4d7212e00f7a690c36"}],"database_specific":{"versions":[{"introduced":"256"},{"fixed":"256.14"},{"introduced":"257"},{"fixed":"257.6"},{"introduced":"0"},{"last_affected":"8-NA"},{"introduced":"0"},{"last_affected":"9-NA"}]}},{"type":"GIT","repo":"https://github.com/systemd/systemd-stable","events":[{"introduced":"0"},{"fixed":"7c9b17c9343e143465b6649d021a68a8c16b9a6e"},{"introduced":"477fdc5afed0457c43d01f3d7ace7209f81d3995"},{"fixed":"e507f508a7e9096dbf8bde689e3eb43f3be4c91b"},{"introduced":"994c7978608a0bd9b317f4f74ff266dd50a3e74e"},{"fixed":"8f21d057e4a216cd60340660e4e9c8f32aab6e00"},{"introduced":"db11bab38ccf1ed257f310d29070843d4c58ea01"},{"fixed":"32c4237a2bc8a29ceefbc277356e72e36889bedd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"252.37"},{"introduced":"253"},{"fixed":"253.32"},{"introduced":"254"},{"fixed":"254.25"},{"introduced":"255"},{"fixed":"255.19"}]}}],"versions":["systemd-v1","systemd-v10","systemd-v11","systemd-v12","systemd-v13","systemd-v14","systemd-v15","systemd-v16","systemd-v17","systemd-v18","systemd-v183","systemd-v184","systemd-v185","systemd-v186","systemd-v187","systemd-v188","systemd-v189","systemd-v19","systemd-v190","systemd-v191","systemd-v192","systemd-v193","systemd-v194","systemd-v195","systemd-v196","systemd-v2","systemd-v20","systemd-v21","systemd-v22","systemd-v23","systemd-v24","systemd-v25","systemd-v26","systemd-v27","systemd-v28","systemd-v29","systemd-v3","systemd-v30","systemd-v31","systemd-v32","systemd-v33","systemd-v34","systemd-v35","systemd-v36","systemd-v37","systemd-v38","systemd-v39","systemd-v4","systemd-v40","systemd-v41","systemd-v42","systemd-v43","systemd-v44","systemd-v5","systemd-v6","systemd-v7","systemd-v8","systemd-v9","v1","v10","v11","v12","v13","v14","v15","v16","v17","v18","v183","v184","v185","v186","v187","v188","v189","v19","v190","v191","v192","v193","v194","v195","v196","v197","v198","v199","v2","v20","v200","v201","v202","v203","v204","v205","v206","v207","v208","v209","v21","v210","v211","v212","v213","v214","v215","v216","v217","v218","v219","v22","v220","v221","v222","v223","v224","v225","v226","v227","v228","v229","v23","v230","v231","v232","v233","v234","v235","v236","v237","v238","v239","v24","v240","v241","v241-rc1","v241-rc2","v242","v242-rc1","v242-rc2","v242-rc3","v242-rc4","v243","v243-rc1","v243-rc2","v244","v244-rc1","v245","v245-rc1","v245-rc2","v246","v246-rc1","v246-rc2","v247","v247-rc1","v247-rc2","v248","v248-2","v248-rc1","v248-rc2","v248-rc3","v248-rc4","v249","v249-rc1","v249-rc2","v249-rc3","v25","v250","v250-rc1","v250-rc2","v250-rc3","v251","v251-rc1","v251-rc2","v251-rc3","v252","v252-rc1","v252-rc2","v252-rc3","v252.1","v252.10","v252.11","v252.12","v252.13","v252.14","v252.15","v252.16","v252.17","v252.18","v252.19","v252.2","v252.20","v252.21","v252.22","v252.23","v252.24","v252.25","v252.26","v252.27","v252.28","v252.29","v252.3","v252.30","v252.31","v252.32","v252.33","v252.34","v252.35","v252.36","v252.4","v252.5","v252.6","v252.7","v252.8","v252.9","v253","v253.1","v253.10","v253.11","v253.12","v253.13","v253.14","v253.15","v253.16","v253.17","v253.18","v253.19","v253.2","v253.20","v253.21","v253.23","v253.24","v253.25","v253.26","v253.27","v253.28","v253.29","v253.3","v253.30","v253.31","v253.4","v253.5","v253.6","v253.7","v253.8","v253.9","v254","v254.1","v254.10","v254.11","v254.12","v254.13","v254.14","v254.15","v254.16","v254.17","v254.18","v254.19","v254.2","v254.20","v254.21","v254.22","v254.23","v254.24","v254.3","v254.4","v254.5","v254.6","v254.7","v254.8","v254.9","v255","v255.1","v255.10","v255.11","v255.12","v255.13","v255.14","v255.15","v255.16","v255.17","v255.18","v255.2","v255.3","v255.4","v255.5","v255.6","v255.7","v255.8","v255.9","v256","v256.1","v256.10","v256.11","v256.12","v256.13","v256.2","v256.3","v256.4","v256.5","v256.6","v256.7","v256.8","v256.9","v257","v257.1","v257.2","v257.3","v257.4","v257.5","v26","v27","v28","v29","v3","v30","v31","v32","v33","v34","v35","v36","v37","v38","v39","v4","v40","v41","v42","v43","v44","v5","v6","v7","v8","v9"],"database_specific":{"vanir_signatures_modified":"2026-04-12T15:59:37Z","vanir_signatures":[{"digest":{"length":1538,"function_hash":"16046565717551197252257395198478956374"},"id":"CVE-2025-4598-4d971043","deprecated":false,"source":"https://github.com/systemd/systemd-stable/commit/7c9b17c9343e143465b6649d021a68a8c16b9a6e","signature_type":"Function","target":{"file":"src/coredump/coredump.c","function":"save_context"},"signature_version":"v1"},{"digest":{"length":1538,"function_hash":"16046565717551197252257395198478956374"},"id":"CVE-2025-4598-4ec6ba05","deprecated":false,"target":{"file":"src/coredump/coredump.c","function":"save_context"},"signature_type":"Function","source":"https://github.com/systemd/systemd-stable/commit/e507f508a7e9096dbf8bde689e3eb43f3be4c91b","signature_version":"v1"},{"signature_version":"v1","id":"CVE-2025-4598-7a2bd108","deprecated":false,"target":{"file":"src/coredump/coredump.c","function":"save_context"},"signature_type":"Function","source":"https://github.com/systemd/systemd-stable/commit/8f21d057e4a216cd60340660e4e9c8f32aab6e00","digest":{"length":1538,"function_hash":"16046565717551197252257395198478956374"}},{"digest":{"length":1898,"function_hash":"86472870267374900837527740744553737822"},"id":"CVE-2025-4598-7f6d6ca7","deprecated":false,"target":{"file":"src/coredump/coredump.c","function":"save_context"},"signature_type":"Function","source":"https://github.com/systemd/systemd-stable/commit/32c4237a2bc8a29ceefbc277356e72e36889bedd","signature_version":"v1"},{"digest":{"line_hashes":["220796398704393213725680744786784732470","49074709061547304596575206381315648943","229800555317423346505805691286205146148","299788836959299593314243482012844247994"],"threshold":0.9},"id":"CVE-2025-4598-82f13eb6","deprecated":false,"source":"https://github.com/systemd/systemd-stable/commit/8f21d057e4a216cd60340660e4e9c8f32aab6e00","signature_type":"Line","target":{"file":"src/coredump/coredump.c"},"signature_version":"v1"},{"digest":{"line_hashes":["220796398704393213725680744786784732470","49074709061547304596575206381315648943","229800555317423346505805691286205146148","299788836959299593314243482012844247994"],"threshold":0.9},"id":"CVE-2025-4598-9f1ee238","deprecated":false,"target":{"file":"src/coredump/coredump.c"},"signature_type":"Line","source":"https://github.com/systemd/systemd-stable/commit/e507f508a7e9096dbf8bde689e3eb43f3be4c91b","signature_version":"v1"},{"digest":{"line_hashes":["220796398704393213725680744786784732470","49074709061547304596575206381315648943","229800555317423346505805691286205146148","299788836959299593314243482012844247994"],"threshold":0.9},"id":"CVE-2025-4598-a01e1f0e","deprecated":false,"target":{"file":"src/coredump/coredump.c"},"signature_type":"Line","source":"https://github.com/systemd/systemd-stable/commit/32c4237a2bc8a29ceefbc277356e72e36889bedd","signature_version":"v1"},{"signature_version":"v1","id":"CVE-2025-4598-b1a1fdc5","deprecated":false,"target":{"file":"src/coredump/coredump.c"},"signature_type":"Line","source":"https://github.com/systemd/systemd-stable/commit/7c9b17c9343e143465b6649d021a68a8c16b9a6e","digest":{"line_hashes":["220796398704393213725680744786784732470","49074709061547304596575206381315648943","229800555317423346505805691286205146148","299788836959299593314243482012844247994"],"threshold":0.9}}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0"}]},{"events":[{"introduced":"0"},{"fixed":"6.16"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4598.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}