Race Condition in Linux Kernel Affecting CPU Timer Handling
CVE-2025-38352

7.4HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 22 July 2025

Badges

🥇 Trended No. 1📈 Trended📈 Score: 5,880💰 Ransomware👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2025-38352?

CVE-2025-38352 is a vulnerability found in the Linux kernel related to the handling of CPU timers. The issue arises from a race condition occurring in the handle_posix_cpu_timers() function, which is called when a task's CPU timer needs to be processed. If a task that is actively being terminated concurrently invokes this function, it may interfere with the timer's deletion process, creating potential instability. Specifically, if the task has reached the exit notification stage and is reaped by its parent or debugger while the timer deletion function is executing, the necessary checks for the timer’s state may fail, leading to undefined behavior.

This vulnerability poses a significant risk to organizations utilizing Linux systems since the kernel is foundational to the operating system's stability and security. The potential consequences range from system crashes to the possibility of malicious exploitation, where an attacker could leverage this vulnerability to execute arbitrary code or escalate privileges.

Potential impact of CVE-2025-38352

System Instability: The concurrent execution of the timer handling and task termination functions could lead to unpredictable system behavior, including crashes or hangs, disrupting services and critical applications running on Linux.
Privilege Escalation: If exploited, this vulnerability could allow an attacker to execute malicious code within the context of a higher privileged user, increasing their control over the system and enabling further attacks.
Increased Attack Surface: The existence of this vulnerability may provide threat actors a new vector for exploitation, particularly if it can be leveraged in conjunction with other vulnerabilities or misconfigurations, leading to a broader compromise of organizational security.

CISA has reported CVE-2025-38352

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-38352 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Linux 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < 78a4b8e3795b31dae58762bc091bb0f4f74a2200

Linux 0bdd2ed4138ec04e09b4f8165981efc99e439f55

Linux 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < 2f3daa04a9328220de46f0d5c919a6c0073a9f0b

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

chronomaly
Created by farazsth98

poc-CVE-2025-38352
Created by farazsth98

soikoth3010.github.io
Created by Soikoth3010