Much ado about nothing.
An attacker needs at least physical access to the device. Wow, what a danger.
cf. “The 10 Immutable Laws Of Security”
“Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”
https://uptakedigital.zendesk.com/hc/en-us/articles/115000412533-10-Immutable-Laws-Of-Security-Version-2-0It is an issue in a managed environment such as on corporation or school PCs.
The first vulnerability, CVE-2025-5054, affects Ubuntu’s Apport crash reporting system, while the second, CVE-2025-4598, impacts systemd-coredump, the default core dump handler used across Red Hat Enterprise Linux 9 and 10, as well as Fedora distributions.
Skimming through the Qualsys report it seems that the attacker would already need access to the device first, to be able to crash the processes and then collect the hashes, so I’d say this vulnerability appears to need chaining with other(s)?
They aren’t critical.
