CVE-2025-38352
Published: 22 July 2025
Summary
CVE-2025-38352 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.6th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the kernel race condition vulnerability through application of upstream patches like commits 2c72fe18cc5f et al.
Enables detection of systems affected by CVE-2025-38352 via vulnerability scanning of Linux kernel versions.
Mandates secure kernel configuration settings, such as enabling CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, which avoids the need for the tsk->exit_state check in the fix.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition directly enables privilege escalation via exploitation of the POSIX CPU timers subsystem.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger…
more
right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.
Deeper analysisAI
CVE-2025-38352 is a race condition vulnerability in the Linux kernel's POSIX CPU timers subsystem. It arises between handle_posix_cpu_timers() and posix_cpu_timer_del() when an exiting non-autoreaping task has passed exit_notify() and calls handle_posix_cpu_timers() from an IRQ context. This allows the task to be reaped by its parent or debugger immediately after unlock_task_sighand(), causing posix_cpu_timer_del() to fail in detecting timer->it.cpu.firing != 0 due to failures in cpu_timer_task_rcu() or lock_task_sighand(). The affected component is the Linux kernel.
The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by a local attacker requiring no privileges, though with high attack complexity and no user interaction. Exploitation leverages the race to disrupt timer handling during task exit, potentially leading to high impacts on confidentiality, integrity, and availability.
Mitigation requires applying upstream patches from the Linux kernel stable repository, including commits 2c72fe18cc5f, 2f3daa04a932, 460188bc042a, 764a7a5dfda2, and 78a4b8e3795b. The fix introduces a tsk->exit_state check in run_posix_cpu_timers() to prevent the race. This is unnecessary if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, as exit_task_work() precedes exit_notify(), though the check remains beneficial.
Details
- CWE(s)
- KEV Date Added
- 04 September 2025