Cyber Resilience

CVE-2025-38352

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 July 2025

Published
22 July 2025
Modified
08 January 2026
KEV Added
04 September 2025
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.2th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-38352 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.2th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

The vulnerability is a race condition (CWE-367) in the Linux kernel's POSIX CPU timers implementation between handle_posix_cpu_timers() and posix_cpu_timer_del(). An exiting non-autoreaping task that has passed exit_notify() can invoke handle_posix_cpu_timers() from IRQ context; after unlock_task_sighand(), the task may be reaped by its parent or debugger, causing cpu_timer_task_rcu() or lock_task_sighand() to fail in a concurrent posix_cpu_timer_del() and leaving timer->it.cpu.firing undetected.

An unprivileged local attacker can trigger the race by arranging for timer deletion during the narrow window after exit_notify() but before full task reaping. Successful exploitation can corrupt timer state and yield high impact on confidentiality, integrity, and availability on affected kernels.

The referenced stable commits add an explicit tsk->exit_state check inside run_posix_cpu_timers() to close the window. The check is unnecessary when CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y because exit_task_work() runs before exit_notify(), but the guard remains useful in other configurations.

EPSS remains low at 0.0014 with no reported rise or in-the-wild exploitation.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger…

more

right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.

CWE(s)
KEV Date Added
04 September 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel race condition directly enables privilege escalation via exploitation of the POSIX CPU timers subsystem.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-49063Same product: Debian Debian Linux
CVE-2023-52927Same product: Debian Debian Linux
CVE-2023-52935Same product: Debian Debian Linux
CVE-2026-31678Same product: Linux Linux Kernel
CVE-2024-58054Same product: Debian Debian Linux
CVE-2025-41244Same product: Debian Debian Linuxboth on KEV
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.16 · 2.6.36 — 5.4.295 · 5.5 — 5.10.239 · 5.11 — 5.15.186
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the kernel race condition vulnerability through application of upstream patches like commits 2c72fe18cc5f et al.

detect

Enables detection of systems affected by CVE-2025-38352 via vulnerability scanning of Linux kernel versions.

prevent

Mandates secure kernel configuration settings, such as enabling CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, which avoids the need for the tsk->exit_state check in the fix.

References