Skip to content

How to Protect Against systemd-coredump Vulnerability (CVE-2025-4598) with RLC-H

Overview

A critical vulnerability in systemd-coredump allows attackers with basic system access to extract sensitive data (such as password hashes and cryptographic keys) from crashed privileged programs within seconds.

  • Enterprise Linux 9 (EL9) systems are vulnerable by default.
  • EL7/8 systems are not affected in their default configurations.
  • RLC-H (Rocky Linux from CIQ – Hardened) blocks this attack through multiple layers of defense.

Demonstrations show:

  • Vanilla Rocky Linux 9.6 can be compromised in under 5 seconds.
  • Weak passwords cracked immediately.
  • RLC-H resists the attack by default.

Bottom line: This isn’t theoretical — it’s a working exploit against unpatched EL9 systems. RLC-H prevents it.

Introduction

Over two months after public disclosure of systemd-coredump CVE-2025-4598 by Qualys, the vulnerability remains unfixed in upstream Enterprise Linux. EL9 is fully exposed by default, while RLC-H has provided effective mitigations from the start.

Other vendors, such as Oracle, fixed the issue on disclosure. Qualys and Oracle described the vulnerability in detail, but here we demonstrate its severity through direct exploitation.

Background

When a program crashes, it may produce a core dump containing the program’s memory at the time of failure. Core dumps can include sensitive information.

While the Linux kernel normally prevents unsafe dumps, some distributions redirect core dumps to user-space processors like systemd-coredump. These processors have historically contained vulnerabilities (e.g., in Ubuntu’s apport and Fedora/RHEL’s abrt).

In 2022, systemd-coredump added logic to duplicate the kernel’s protections. However, in 2025, Qualys found that this logic was vulnerable to a race condition involving PID reuse, leading to unsafe exposure of privileged data.

The Vulnerability

  • When systemd-coredump saves dumps, it makes them readable to the crashing user.
  • Some executables run with SUID/SGID privileges or start as privileged daemons. These can retain sensitive data inaccessible to normal users.
  • The kernel protects against unsafe dumps with a dumpable flag — but systemd-coredump did not always check this reliably.
  • Exploitation hinges on a race condition where PID reuse tricks systemd-coredump into exposing data from privileged processes.

Affected Systems

Vulnerability exists wherever:

  • systemd-coredump is the configured core dump handler (kernel.core_pattern)
  • fs.suid_dumpable is non-zero.

Info

  • These conditions are true by default on Fedora, EL9, and EL10.
  • They are not true by default on EL7 and EL8.
  • Fedora issued a fix quickly; EL9 is left highly exposed.

Severity

Exploit probability is very high once attempted. Attack requires no special skill — just the ability to run code locally.

Consequences:

  • Extraction of password hashes.
  • Theft of cryptographic keys.
  • Potential cracking of real user and root passwords.

Red Hat rated the CVE “Moderate,” but based on exploitability, the impact should be considered Important.

Exploitation

Exploitation is straightforward:

  1. Crash a program (e.g., send a signal).
  2. Force PID reuse (possible instantly via SUID helpers like newgrp).
  3. Win the race reliably (exploit code tends to succeed almost immediately).

Results:

  • On Rocky Linux 9.6, the exploit can dump password hashes (including root’s) in seconds.
  • On RLC-H 9.6, the exploit fails by default thanks to hardened settings.
  • If RLC-H mitigations are manually disabled (unsafe configuration), the exploit works similarly to vanilla EL9.

Defense in Depth with RLC-H

RLC-H blocks this exploit through multiple layers of defense:

  1. Safe core dump settings: fs.suid_dumpable=0 by default prevents unsafe core dumps.
  2. Restricted SUID programs: Access to dangerous helpers like unix_chkpwd and newgrp is limited.

  3. Stronger passwords by default:

    • passwdqc enforces stricter password quality rules, rejecting weak or common passwords that EL9 would allow.
    • yescrypt replaces sha512crypt as the hashing algorithm, making any captured hashes far more resistant to cracking — even with GPUs.

These measures mean that even if attackers somehow extracted hashes, they would face significantly higher difficulty in turning them into real passwords.

Additionally:

  • CIQ contributes these enhancements to the Rocky Linux community through SIG/Security.
  • Linux Kernel Runtime Guard (LKRG), in paranoid mode, can fully block systemd-coredump (optional, not default).
  • CIQ is planning further improvements to passwdqc and yescrypt.

Traditional Patching

CIQ also expects this CVE to be patched traditionally in upstream and Rocky Linux.
CIQ is delivering patches via its 9.x LTS products and the FastTrack repository for base RLC 9.

Summary

  • EL9 is vulnerable by default — attackers can steal hashes/keys in seconds.
  • Exploitation is real, fast, and trivial.
  • RLC-H fully mitigates the vulnerability with layered protections.
  • Organizations running EL9 should adopt RLC-H or apply upstream patches once available.

Bottom line: RLC-H customers are safe. Others remain at risk until patches arrive.

The real danger of systemd-coredump CVE-2025-4598
CVE-2025-4598 Details