CVE-2025-4598 | Systemd-coredump: race condition that allows a local attacker to crash a suid program and gain read access to the resulting core dump

Exp

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Published: 2025-05-30 Last update: 2026-05-19 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-4598 is rated Exploit Available (50/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.10%). 2 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2025-4598

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2025-4598

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-26 0.04% 0.10% +0.06%
2 2026-02-18 0.06% 0.04% -0.02%
3 2026-02-13 0.06%

Full EPSS history (8 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-4598

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.7 3.1 MEDIUM
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 1.0 3.6 [email protected]

Weakness enumeration for CVE-2025-4598

GitHub Security Advisory for CVE-2025-4598

GHSA-jx2m-wgq5-5qcj · Severity: medium — A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID...

OS Trackers for CVE-2025-4598

vendor priority summary link
debian not yet assigned CVE-2025-4598 not yet assigned priority: Debian including 1 source packages (systemd), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2025-4598
redhat medium https://access.redhat.com/security/cve/CVE-2025-4598
suse medium CVE-2025-4598 severity moderate: SUSE including 525 source package names (0.1.6-1.2:libsystemd0-254.25-150600.4.40.1, 0.23.1-11.13:libsystemd0-254.25-150600.4.40.1, …), 2097 product×package rows across 362 product lines (Container bci/kiwi, Container bci/spack, … (362 product lines)): Fixed 1871, Known Affected 226. https://www.suse.com/security/cve/CVE-2025-4598/
ubuntu medium CVE-2025-4598 medium priority: Ubuntu including 1 source packages (systemd), 9 status rows across 9 suites (bionic, focal, jammy, noble, oracular, plucky, trusty, upstream, xenial): released 6, not-affected 3. https://ubuntu.com/security/CVE-2025-4598

Affected software / configurations for CVE-2025-4598

Vendor Product Version Raw CPE
systemd_project systemd < 252.37 cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*
systemd_project systemd >= 253, < 253.32 cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*
systemd_project systemd >= 254, < 254.25 cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*
systemd_project systemd >= 255, < 255.19 cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*
systemd_project systemd >= 256, < 256.14 cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*
systemd_project systemd >= 257, < 257.6 cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*
redhat openshift_container_platform 4.0 cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
redhat enterprise_linux 7.0 cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
redhat enterprise_linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhat enterprise_linux 9.0 cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
redhat enterprise_linux 10.0 cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
debian debian_linux 12.0 cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
oracle linux 8 cpe:2.3:o:oracle:linux:8:-:*:*:*:*:*:*
oracle linux 9 cpe:2.3:o:oracle:linux:9:-:*:*:*:*:*:*
linux linux_kernel < 6.16 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

References for CVE-2025-4598

URL Tags
https://access.redhat.com/errata/RHSA-2025:22660
https://access.redhat.com/errata/RHSA-2025:22868
https://access.redhat.com/errata/RHSA-2025:23227
https://access.redhat.com/errata/RHSA-2025:23234
https://access.redhat.com/errata/RHSA-2026:0414
https://access.redhat.com/errata/RHSA-2026:1652
https://access.redhat.com/errata/RHSA-2026:18153
https://access.redhat.com/security/cve/CVE-2025-4598 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2369242 Issue Tracking
https://www.openwall.com/lists/oss-security/2025/05/29/3 Mailing List
http://seclists.org/fulldisclosure/2025/Jun/9
http://www.openwall.com/lists/oss-security/2025/06/05/1 Mailing List
http://www.openwall.com/lists/oss-security/2025/06/05/3 Mailing List
http://www.openwall.com/lists/oss-security/2025/08/18/3
https://blogs.oracle.com/linux/post/analysis-of-cve-2025-4598 Exploit Third Party Advisory
https://ciq.com/blog/the-real-danger-of-systemd-coredump-cve-2025-4598/ Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/07/msg00022.html
https://www.openwall.com/lists/oss-security/2025/08/18/3 Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-082556.html
cvelogic Threat Intelligence