Intentionally Crashing Apps on Linux Could Expose Password Hashes

Security researchers have identified two security flaws in Linux that could have let attackers gain access to sensitive data like password hashes simply by forcing programs to crash.

Security experts from Qualys have found two vulnerabilities that directly impacted how Linux handles crash reports. The crash reports, or 'core dumps,' have a clear purpose: to record the state of an application when it crashes. This is an important tool for users trying to determine why an application has crashed.

The vulnerabilities, labeled CVE-2025-5054 and CVE-2025-4598, have impacted a number of popular Linux distros, including Ubuntu, Red Hat Enterprise Linux (RHEL), and Fedora.

How the attack works

An attacker who has already logged on to the system can exploit a race condition flaw. Suppose the attacker successfully crashes a privileged program (an application with elevated permissions) and immediately replaces it with its own process. In that case, the crash-handling tools can mistakenly send sensitive crash data directly to the attacker.

Vulnerability breakdown

CVE-2025-5054 (Ubuntu's Apport)

• Affects Ubuntu's Apport tool (versions up to 2.32.0).
• Attackers can quickly substitute a privileged crashed process.
• Apport mistakenly forwards the original crash data, possibly sensitive information, to the attacker's substituted process.
• Versions impacted: Ubuntu 16.04 to 24.04.

CVE-2025-4598 (systemd-coredump on RHEL, Fedora)

• Affects systemd-coredump, a crash-reporting tool in RHEL and Fedora.
• Attackers could crash a SUID (Set User ID) process and replace it with a non-privileged process.
• They can then access sensitive information from the crash file generated by the original process.

Red Hat has rated this vulnerability as "moderate" because it's rather complex and not easy to weaponize.

Theoretical scenario

Imagine a computer lab in which students share Linux machines. A malicious user logs in using a student account. The attacker intentionally triggers a crash in a privileged password-checking tool (unix_chkpwd). Right as it crashes, the attacker quickly inserts a process with the same process ID. The crash-reporting tool mistakenly sends sensitive data from the original crash—potentially password hashes—to the attacker's process.

While cracking modern password hashes is challenging, it’s not impossible, especially if the original passwords are weak.

How to protect yourself

• Ubuntu, RHEL, and Fedora have already rolled out patches. Users should apply these security updates as soon as possible.
• Monitor systems closely for unexpected crashes or unusual activity.
• Restrict access to tools that could trigger these conditions, particularly in multi-user environments.
• Administrators can temporarily disable core dumps for privileged programs by running:

echo 0 > /proc/sys/fs/suid_dumpable

For typical home users, this threat level is low, as attackers must already have direct access to a machine. However, for organizations that deal with many users, sometimes sharing the same computers, the implications are difficult to quantify.