Linux Flaws Let Hackers Steal Password Hashes at Scale

Two critical vulnerabilities in widely used Linux distributions could allow local attackers to extract password hashes by manipulating core dump files, according to researchers at Qualys Threat Research Unit. The flaws—CVE-2025-5054 and CVE-2025-4598—affect Ubuntu’s Apport and systemd-coredump used in Red Hat Enterprise Linux 9/10 and Fedora 40/41.

Both bugs exploit race conditions that let users access sensitive memory data from SUID (Set User ID) programs. Proof-of-concept exploits show that attackers can target the unix_chkpwd process to retrieve password hashes.

Affected systems include Ubuntu versions from 16.04 to 24.04 and Red Hat-based distributions. Debian is unaffected by default. Security teams are urged to disable core dumps for SUID programs by setting `/proc/sys/fs/suid_dumpable` to 0.

Qualys has released mitigation scripts but warns of potential operational risks. The discovery highlights the urgency of patching and implementing temporary defenses to prevent privilege escalation and lateral movement within compromised networks.