Race Condition in Linux Kernel Affecting CPU Timer Handling
CVE-2025-38352
Key Information:
Badges
What is CVE-2025-38352?
CVE-2025-38352 is a vulnerability found in the Linux kernel related to the handling of CPU timers. The issue arises from a race condition occurring in the handle_posix_cpu_timers() function, which is called when a task's CPU timer needs to be processed. If a task that is actively being terminated concurrently invokes this function, it may interfere with the timer's deletion process, creating potential instability. Specifically, if the task has reached the exit notification stage and is reaped by its parent or debugger while the timer deletion function is executing, the necessary checks for the timer’s state may fail, leading to undefined behavior.
This vulnerability poses a significant risk to organizations utilizing Linux systems since the kernel is foundational to the operating system's stability and security. The potential consequences range from system crashes to the possibility of malicious exploitation, where an attacker could leverage this vulnerability to execute arbitrary code or escalate privileges.
Potential impact of CVE-2025-38352
-
System Instability: The concurrent execution of the timer handling and task termination functions could lead to unpredictable system behavior, including crashes or hangs, disrupting services and critical applications running on Linux.
-
Privilege Escalation: If exploited, this vulnerability could allow an attacker to execute malicious code within the context of a higher privileged user, increasing their control over the system and enabling further attacks.
-
Increased Attack Surface: The existence of this vulnerability may provide threat actors a new vector for exploitation, particularly if it can be leveraged in conjunction with other vulnerabilities or misconfigurations, leading to a broader compromise of organizational security.
CISA has reported CVE-2025-38352
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-38352 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Linux 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < 78a4b8e3795b31dae58762bc091bb0f4f74a2200
Linux 0bdd2ed4138ec04e09b4f8165981efc99e439f55
Linux 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < 2f3daa04a9328220de46f0d5c919a6c0073a9f0b
News Articles
MalwarebytesUpdate your Android! Google patches 111 vulnerabilities, 2 are critical
Google has issued updates to patch a whopping 111 Android vulnerabilities, including two actively exploited ones.
4 days ago
Google fixes actively exploited Android flaws in September update
Google has released the September 2025 security update for Android devices, addressing a total of 84 vulnerabilities, including two actively exploited flaws.
4 days ago
References
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved