A proof-of-concept (PoC) exploit for CVE-2025-38352, a critical race condition vulnerability in the Linux kernel, has been publicly released on GitHub.
The vulnerability, discovered earlier this year, targets the POSIX CPU timers implementation and was previously exploited in limited, targeted attacks against 32-bit Android devices.
CVE-2025-38352 is a use-after-free (UAF) vulnerability in the Linux kernel’s handle_posix_cpu_timers() function.
The flaw occurs when the CONFIG_POSIX_CPU_TIMERS_TASK_WORK configuration flag is disabled, a setting found on most 32-bit Android kernels but not on 64-bit systems.
The vulnerability arises from a race condition that occurs when POSIX CPU timers fire on zombie tasks.
By carefully timing the creation of a zombie process, reaping it through a parent process, and triggering timer deletion, attackers can cause the kernel to access freed memory, leading to privilege escalation or kernel code execution.
Chronomaly Exploit
Security researcher Faith (working at blockchain security firm Zellic) has released “Chronomaly,” a fully functional exploit targeting Linux kernel versions v5.10.x.
The exploit was introduced through a comprehensive three-part technical blog series covering the vulnerability’s discovery, analysis, and exploitation techniques.
The exploit is notable for not requiring kernel symbol offsets or specific memory addresses, making it portable across different kernel configurations.
It implements sophisticated race-window extension techniques via CPU timer manipulation and a cross-cache allocation strategy for sigqueue structures.
The exploit requires a multi-core system with at least two CPUs to reliably trigger the race condition.
Testing confirms successful exploitation on QEMU-virtualized Linux kernels running v5.10.157, with parameters adjustable for different environments.
The vulnerability has been added to CISA’s Known Exploited Vulnerabilities Catalog, indicating active exploitation.
While the threat primarily affects 32-bit Android devices, the kernel components involved are also present in 32-bit variants of other Linux-based systems.
According to the GitHub advisory, users should update to a patched kernel or enable the CONFIG_POSIX_CPU_TIMERS_TASK_WORK option.
The upstream Linux kernel patch (commit f90fff1e152dedf52b932240ebbd670d83330eca) addresses the vulnerability by preventing timer processing on zombie tasks.
Device manufacturers and system administrators should prioritize kernel updates to mitigate this critical vulnerability.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
