A proof-of-concept (PoC) exploit has been publicly released for CVE-2025-38352, a race condition vulnerability affecting the Linux kernel’s POSIX CPU timer implementation.
The flaw enables attackers to trigger use-after-free conditions in kernel memory, potentially leading to privilege escalation and system compromise.
CVE-2025-38352 is a race condition that occurs in the kernel’s handle_posix_cpu_timers() function, which processes timer signals during CPU scheduler ticks.
The vulnerability exploits a timing window between when the kernel collects firing timers and processes them, allowing an attacker to free timer structures while they are still being accessed.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-38352 |
| Vulnerability Type | Race condition use-after-free in Linux kernel POSIX CPU timers |
| Affected Component | handle_posix_cpu_timers() in the Linux kernel POSIX CPU timers implementation |
| Affected Versions | Linux LTS 6.12.33 (and related vulnerable builds, especially 32-bit Android kernels) |
| Impact | Potential local privilege escalation via kernel memory corruption |
The flaw affects systems with CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled, making it particularly relevant to 32-bit Android devices.
The vulnerability requires specific conditions: a zombie process state must be reached, and precise timing coordination is needed to trigger the race condition.
The PoC, published on GitHub by security researcher Faraz Sth, demonstrates how an attacker can perform the following actions.
Create a POSIX CPU timer that fires after a specific CPU time interval. Force a thread into a zombie state during critical kernel operations.
Reap the zombie task while timer processing is underway. Delete the timer through the timer_delete() syscall, causing premature memory deallocation.
Trigger a use-after-free when the kernel continues accessing the freed timer. When successful, the exploit generates KASAN memory sanitizer warnings indicating UAF write operations in the posix_timer_queue_signal() function.
On non-KASAN systems, kernel warnings manifest in the send_sigqueue() function.
According to Faith2dxy advisories, this vulnerability has been actively exploited in limited, targeted attacks.
The flaw requires local system access and precise timing manipulation, but successful exploitation could grant attackers elevated kernel privileges.
Kernel patches have been released through the Linux kernel’s stable branches. Users should update to patched kernel versions immediately.
The fix prevents zombie processes from executing timer handling code, eliminating the race window.
System administrators are advised to prioritize patching, particularly for Android devices and embedded Linux systems using vulnerable kernel versions. The public PoC availability accelerates the risk timeline for unpatched systems.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
