CVE-2025-4598

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

References

Affected packages

Git / github.com/systemd/systemd

Affected ranges

Type: GIT
Repo: https://github.com/systemd/systemd
Events: Introduced

5c79cdec10a547a866764a66e1e14898112a00cd

Fixed

dd4db7e0409214863ea0427eb831896cb4c66840

Introduced

70bae7648f2c18010187c9cf20093155eaa26029

Fixed

00a12c234e2506f5cab683460199575f13c454db

Affected versions

Other

v256

v257

v257-rc1

v257-rc2

v257-rc3

v256.*

v256.1

v256.10

v256.11

v256.12

v256.13

v256.2

v256.3

v256.4

v256.5

v256.6

v256.7

v256.8

v256.9

v257.*

v257.1

v257.2

v257.3

v257.4

v257.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4598.json"

Git / github.com/systemd/systemd-stable

Affected ranges

Type: GIT
Repo: https://github.com/systemd/systemd-stable
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7c9b17c9343e143465b6649d021a68a8c16b9a6e

Introduced

477fdc5afed0457c43d01f3d7ace7209f81d3995

Fixed

e507f508a7e9096dbf8bde689e3eb43f3be4c91b

Introduced

994c7978608a0bd9b317f4f74ff266dd50a3e74e

Fixed

8f21d057e4a216cd60340660e4e9c8f32aab6e00

Introduced

db11bab38ccf1ed257f310d29070843d4c58ea01

Fixed

32c4237a2bc8a29ceefbc277356e72e36889bedd

Affected versions

Other

v253

v254

v254-rc1

v254-rc2

v254-rc3

v255

v255-rc1

v255-rc2

v255-rc3

v255-rc4

v253.*

v253.1

v253.10

v253.11

v253.12

v253.13

v253.14

v253.15

v253.16

v253.17

v253.18

v253.19

v253.2

v253.20

v253.21

v253.23

v253.24

v253.25

v253.26

v253.27

v253.28

v253.29

v253.3

v253.30

v253.31

v253.4

v253.5

v253.6

v253.7

v253.8

v253.9

v254.*

v254.1

v254.10

v254.11

v254.12

v254.13

v254.14

v254.15

v254.16

v254.17

v254.18

v254.19

v254.2

v254.20

v254.21

v254.22

v254.23

v254.24

v254.3

v254.4

v254.5

v254.6

v254.7

v254.8

v254.9

v255.*

v255.1

v255.10

v255.11

v255.12

v255.13

v255.14

v255.15

v255.16

v255.17

v255.18

v255.2

v255.3

v255.4

v255.5

v255.6

v255.7

v255.8

v255.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4598.json"

vanir_signatures

[
    {
        "target": {
            "file": "src/coredump/coredump.c",
            "function": "save_context"
        },
        "digest": {
            "length": 1538.0,
            "function_hash": "16046565717551197252257395198478956374"
        },
        "signature_type": "Function",
        "id": "CVE-2025-4598-4d971043",
        "source": "https://github.com/systemd/systemd-stable/commit/7c9b17c9343e143465b6649d021a68a8c16b9a6e",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "src/coredump/coredump.c",
            "function": "save_context"
        },
        "digest": {
            "length": 1538.0,
            "function_hash": "16046565717551197252257395198478956374"
        },
        "signature_type": "Function",
        "id": "CVE-2025-4598-4ec6ba05",
        "source": "https://github.com/systemd/systemd-stable/commit/e507f508a7e9096dbf8bde689e3eb43f3be4c91b",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "src/coredump/coredump.c",
            "function": "save_context"
        },
        "digest": {
            "length": 1538.0,
            "function_hash": "16046565717551197252257395198478956374"
        },
        "signature_type": "Function",
        "id": "CVE-2025-4598-7a2bd108",
        "source": "https://github.com/systemd/systemd-stable/commit/8f21d057e4a216cd60340660e4e9c8f32aab6e00",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "src/coredump/coredump.c",
            "function": "save_context"
        },
        "digest": {
            "length": 1898.0,
            "function_hash": "86472870267374900837527740744553737822"
        },
        "signature_type": "Function",
        "id": "CVE-2025-4598-7f6d6ca7",
        "source": "https://github.com/systemd/systemd-stable/commit/32c4237a2bc8a29ceefbc277356e72e36889bedd",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "src/coredump/coredump.c"
        },
        "digest": {
            "line_hashes": [
                "220796398704393213725680744786784732470",
                "49074709061547304596575206381315648943",
                "229800555317423346505805691286205146148",
                "299788836959299593314243482012844247994"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2025-4598-82f13eb6",
        "source": "https://github.com/systemd/systemd-stable/commit/8f21d057e4a216cd60340660e4e9c8f32aab6e00",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "src/coredump/coredump.c"
        },
        "digest": {
            "line_hashes": [
                "220796398704393213725680744786784732470",
                "49074709061547304596575206381315648943",
                "229800555317423346505805691286205146148",
                "299788836959299593314243482012844247994"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2025-4598-9f1ee238",
        "source": "https://github.com/systemd/systemd-stable/commit/e507f508a7e9096dbf8bde689e3eb43f3be4c91b",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "src/coredump/coredump.c"
        },
        "digest": {
            "line_hashes": [
                "220796398704393213725680744786784732470",
                "49074709061547304596575206381315648943",
                "229800555317423346505805691286205146148",
                "299788836959299593314243482012844247994"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2025-4598-a01e1f0e",
        "source": "https://github.com/systemd/systemd-stable/commit/32c4237a2bc8a29ceefbc277356e72e36889bedd",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "src/coredump/coredump.c"
        },
        "digest": {
            "line_hashes": [
                "220796398704393213725680744786784732470",
                "49074709061547304596575206381315648943",
                "229800555317423346505805691286205146148",
                "299788836959299593314243482012844247994"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2025-4598-b1a1fdc5",
        "source": "https://github.com/systemd/systemd-stable/commit/7c9b17c9343e143465b6649d021a68a8c16b9a6e",
        "deprecated": false,
        "signature_version": "v1"
    }
]