CVE-2025-38352
Published: 22 July 2025
Summary
CVE-2025-38352 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.2th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
The vulnerability is a race condition (CWE-367) in the Linux kernel's POSIX CPU timers implementation between handle_posix_cpu_timers() and posix_cpu_timer_del(). An exiting non-autoreaping task that has passed exit_notify() can invoke handle_posix_cpu_timers() from IRQ context; after unlock_task_sighand(), the task may be reaped by its parent or debugger, causing cpu_timer_task_rcu() or lock_task_sighand() to fail in a concurrent posix_cpu_timer_del() and leaving timer->it.cpu.firing undetected.
An unprivileged local attacker can trigger the race by arranging for timer deletion during the narrow window after exit_notify() but before full task reaping. Successful exploitation can corrupt timer state and yield high impact on confidentiality, integrity, and availability on affected kernels.
The referenced stable commits add an explicit tsk->exit_state check inside run_posix_cpu_timers() to close the window. The check is unnecessary when CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y because exit_task_work() runs before exit_notify(), but the guard remains useful in other configurations.
EPSS remains low at 0.0014 with no reported rise or in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22297
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger…
more
right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.
- CWE(s)
- KEV Date Added
- 04 September 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition directly enables privilege escalation via exploitation of the POSIX CPU timers subsystem.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the kernel race condition vulnerability through application of upstream patches like commits 2c72fe18cc5f et al.
Enables detection of systems affected by CVE-2025-38352 via vulnerability scanning of Linux kernel versions.
Mandates secure kernel configuration settings, such as enabling CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, which avoids the need for the tsk->exit_state check in the fix.