CVE-2025-38352

Published Jul 22, 2025

Last updated 22 days ago

Exploit knownCVSS high 7.4
Linux Kernel

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-38352 is a vulnerability that exists in the Linux kernel, specifically within the handling of POSIX CPU timers. The vulnerability stems from a race condition between `handle_posix_cpu_timers()` and `posix_cpu_timer_del()`. This race condition can occur when a non-autoreaping task that is exiting has already passed `exit_notify()` and calls `handle_posix_cpu_timers()` from an interrupt request (IRQ). If a concurrent `posix_cpu_timer_del()` runs at the same time, it might not detect that `timer->it.cpu.firing != 0`, which can cause `cpu_timer_task_rcu()` and/or `lock_task_sighand()` to fail. This vulnerability can be exploited to gain elevated privileges on Android devices.

Description
In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Analyzed
Products
linux_kernel, debian_linux

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.4
Impact score
5.9
Exploitability score
1.4
Vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability
Exploit added on
Sep 4, 2025
Exploit action due
Sep 25, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-367

Social media

Hype score
Not currently trending

  1. CVE-2025-38352 (Part 3) - Uncovering Chronomaly : https://t.co/2boyJFx1U1 Extending The Race Window Without a Kernel Patch (Part 2) : https://t.co/JWEn4Eh8iR In-the-wild Android Kernel Vulnerability Analysis + PoC : https://t.co/WME278c957 credits @farazsth98

    @binitamshah

    26 Jan 2026

    3132 Impressions

    7 Retweets

    37 Likes

    27 Bookmarks

    0 Replies

    0 Quotes

  2. PoC for CVE-2025-38352: race condition vulnerability in the Linux kernel's POSIX CPU timers implementation (@farazsth98) Part 1: https://t.co/neKegZKoow Part 2: https://t.co/4DQn0BKh3l #infosec https://t.co/0Up7zszZaU

    @0xor0ne

    22 Jan 2026

    7008 Impressions

    19 Retweets

    107 Likes

    51 Bookmarks

    1 Reply

    0 Quotes

  3. Analysis of a race condition vulnerability in Linux POSIX CPU Timer Subsystem (CVE-2025-38352) https://t.co/xr5DhZYS9m Credits @streypaws #infosec https://t.co/AOz1nIO0gD

    @0xor0ne

    19 Jan 2026

    3538 Impressions

    14 Retweets

    68 Likes

    24 Bookmarks

    1 Reply

    0 Quotes

  4. 🔓 Exploit CVE-2025-38352 in Android/Linux! Chronomaly targets v5.10.x kernels without specific offsets. 🚀 Get the scanner & full details on my page: https://t.co/lbqG36ZbMK #exploit #infosec #kernel #CVE202538352

    @TheExploitLab

    19 Jan 2026

    70 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Article series about exploiting CVE-2025-38352 @farazsth98 posted three articles about exploiting a race condition in the implementation of POSIX CPU timers. Part 1️⃣ describes reproducing this race condition https://t.co/o6poCwfBvz [1/3]

    @linkersec

    17 Jan 2026

    3167 Impressions

    19 Retweets

    54 Likes

    31 Bookmarks

    4 Replies

    0 Quotes

  6. ❗️Chronomaly: Android kernel exploit for CVE-2025-38352, previously exploited in-the-wild. Targets vulnerable Linux kernels v5.10.x. GitHub: https://t.co/upwQn77OwI https://t.co/TCiMfz7aOt

    @DarkWebInformer

    12 Jan 2026

    8502 Impressions

    23 Retweets

    97 Likes

    58 Bookmarks

    2 Replies

    0 Quotes

  7. #PoC #Exploit Released for #Android/#Linux Kernel Vulnerability CVE-2025-38352 https://t.co/aLTYN7Cl4o #cve #vulnerability #CyberSecurity

    @AntonioMinnella

    10 Jan 2026

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Analyzing and exploiting a race condition use-after-free vulnerability in the Linux kernel's POSIX CPU timers (CVE-2025-38352) https://t.co/neKegZKoow Credits @farazsth98 #infosec #Linux

    @0xor0ne

    9 Jan 2026

    4348 Impressions

    12 Retweets

    82 Likes

    46 Bookmarks

    2 Replies

    1 Quote

  9. CVE-2025-38352 - In-the-wild Android Kernel Vulnerability Analysis + PoC https://t.co/XZl764veHv PoC: https://t.co/19sBp74mWC

    @HackingTeam777

    8 Jan 2026

    2434 Impressions

    10 Retweets

    38 Likes

    19 Bookmarks

    1 Reply

    1 Quote

  10. PoC exploit for critical Linux kernel flaw CVE-2025-38352 released on GitHub, enabling root privilege escalation on 32-bit Android via a use-after-free bug previously used in targeted attacks. #Linux https://t.co/J1q4Fs7tFq

    @threatcluster

    7 Jan 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 “Chronomaly” PoC Exploit for Linux Kernel CVE-2025-38352 Enables Root on Vulnerable Android/Linux Builds A working PoC exploit dubbed “Chronomaly” targets CVE-2025-38352 (POSIX CPU timers UAF/race) to escalate privileges to root, with techniques that expand the race

    @ThreatSynop

    7 Jan 2026

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Linux Kernel POSIX CPU Timer の脆弱性 CVE-2025-38352:Android 標的の PoC が公開 https://t.co/cSpIvTPHpB

    @iototsecnews

    5 Jan 2026

    137 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. I'm excited to finally share Chronomaly, a kernel exploit for Android and Linux kernels 5.10.x using CVE-2025-38352. As a reminder, please patch your Android devices if you haven't already! I recommend getting some 🍿 before reading this post 👀 All links in the thread bel

    @farazsth98

    3 Jan 2026

    14922 Impressions

    71 Retweets

    299 Likes

    196 Bookmarks

    7 Replies

    2 Quotes

  14. CVE-2025-38352 exploit is finished!🎉 Definitely my most complex exploit to date! 😩 I'll release the exploit with part 3 of the blog post very soon! It targets vulnerable kernels 5.10.xx, no specific devices. Finally, demo time! Don't fall asleep while watching it! 🤣 ht

    @farazsth98

    2 Jan 2026

    21649 Impressions

    37 Retweets

    314 Likes

    104 Bookmarks

    10 Replies

    2 Quotes

  15. #exploit #Kernel_Security #Mobile_security CVE-2025-38352: Part 1 - https://t.co/FMzrGlrjGJ In-the-wild Android Kernel Vulnerability Analysis + PoC https://t.co/OoXEPB4JVW Part 2 - https://t.co/0GQbCIB9Cw Extending The Race Window Without a Kernel Patch ]-> Final PoC

    @ksg93rd

    29 Dec 2025

    4121 Impressions

    18 Retweets

    98 Likes

    43 Bookmarks

    1 Reply

    0 Quotes

  16. CVE-2025-38352: Why the New Linux POSIX Timer Bug is the Most Dangerous Race Condition of 2025 Read the full report on - https://t.co/nrEuX00B2G https://t.co/JdCisjKvPF

    @cyberbivash

    27 Dec 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 📝 𝐏𝐨𝐂 𝐑𝐞𝐥𝐞𝐚𝐬𝐞𝐝 𝐟𝐨𝐫 𝐋𝐢𝐧𝐮𝐱 𝐊𝐞𝐫𝐧𝐞𝐥 𝐔𝐬𝐞-𝐀𝐟𝐭𝐞𝐫-𝐅𝐫𝐞𝐞 𝐅𝐥𝐚𝐰 • A public proof-of-concept (PoC) exploit is available for CVE-2025-38352, a race condition in the

    @PurpleOps_io

    26 Dec 2025

    80 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. LinuxカーネルのPOSIX CPUタイマー処理に起因する欠陥で、競合状態を突く実証コードが公開された。ゾンビ化したタスクとタイマー解放が衝突し、解放済みメモリ参照を誘発する点が注目されている。 問題はCVE

    @yousukezan

    24 Dec 2025

    2122 Impressions

    2 Retweets

    18 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  19. 🛡️ PoC Exploit Released for Linux Kernel’s POSIX CPU Timers Implementation Vulnerability Source: https://t.co/S00xzhRURX A proof-of-concept (PoC) exploit has been publicly released for CVE-2025-38352, a race condition vulnerability affecting the Linux kernel’s POSIX C

    @The_Cyber_News

    23 Dec 2025

    3307 Impressions

    22 Retweets

    72 Likes

    29 Bookmarks

    1 Reply

    0 Quotes

  20. 2025-12-22 の人気記事はコチラでした。(自動ツイート) #Hacker_Trends ――― CVE-2025-38352 - In-the-wild Android Kernel Vulnerability Analysis + PoC | Faith's Blog https://t.co/zpOujuEJcP https://t.co/JYSeoZY9eJ

    @motikan2010

    23 Dec 2025

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. CVE-2025-38352 - In-the-wild Android Kernel Vulnerability Analysis + PoC https://t.co/VwOAq4e4jh

    @securityshell

    22 Dec 2025

    1292 Impressions

    5 Retweets

    7 Likes

    5 Bookmarks

    1 Reply

    0 Quotes

  22. poc-CVE-2025-38352 #exploit #scanner This is a proof of concept for CVE-2025-38352, a vulnerability in the Linux kernel's POSIX CPU timers implementation. The September 2025 Android Bulletin mentions that this vulnerability has been u... https://t.co/dhiIhIkduG

    @TheExploitLab

    22 Dec 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. GitHub - farazsth98/poc-CVE-2025-38352: This is a proof of concept for CVE-2025-38352, a vulnerability in the Linux kernel's POSIX CPU timers implementation. The September 2025 Android Bulletin mentions that this vulnerability has been used in limited, https://t.co/E9X6enlznH

    @akaclandestine

    22 Dec 2025

    2235 Impressions

    4 Retweets

    25 Likes

    19 Bookmarks

    0 Replies

    0 Quotes

  24. CVE-2025-38352 - In-the-wild Android Kernel Vulnerability Analysis + PoC https://t.co/XZl764vMx3 PoC: https://t.co/19sBp74UMa

    @HackingTeam777

    22 Dec 2025

    1154 Impressions

    1 Retweet

    8 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  25. CVE-2025-38352: In-the-wild Android Kernel Vulnerability Analysis + PoC By @farazsth98 https://t.co/pMpCIVUVbf

    @0x_shaq

    22 Dec 2025

    8355 Impressions

    28 Retweets

    102 Likes

    79 Bookmarks

    0 Replies

    0 Quotes

  26. CVE-2025-38352 - In-the-wild Android Kernel Vulnerability Analysis + PoC | Faith's Blog - https://t.co/1tyz8mjpSG

    @piedpiper1616

    22 Dec 2025

    3155 Impressions

    7 Retweets

    47 Likes

    16 Bookmarks

    0 Replies

    0 Quotes

  27. After reading @streypaws blog post on CVE-2025-38352, I ended up writing my own PoC for it. I also wrote a blog post on my approach to analyzing and recreating the PoC. Hopefully it is useful to others! See link in the reply tweet below! https://t.co/Ldt8EWsEQT

    @farazsth98

    22 Dec 2025

    16953 Impressions

    24 Retweets

    140 Likes

    78 Bookmarks

    2 Replies

    2 Quotes

  28. ⚠️Vulnerabilidades en productos Ubuntu ❗CVE-2025-40114 ❗CVE-2025-22020 ❗CVE-2025-38352 ➡️Más info: https://t.co/9iTB2KEkdu https://t.co/R5ZZTUMdXE

    @CERTpy

    13 Nov 2025

    100 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. #VulnerabilityReport #android Researcher Details Zero-Day Linux/Android Kernel Flaw (CVE-2025-38352) https://t.co/Be4Yi5DCJi

    @Komodosec

    8 Nov 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. Linux POSIX CPU Timer Subsystem and Android race condition vulnerability analysis (CVE-2025-38352) https://t.co/xr5DhZYS9m Credits @streypaws #nfosec https://t.co/O0NSKe0UxR

    @0xor0ne

    2 Nov 2025

    6258 Impressions

    19 Retweets

    98 Likes

    46 Bookmarks

    1 Reply

    0 Quotes

  31. Patch NOW: Actively Exploited Linux/Android Kernel Zero-Day (CVE-2025-38352) Gives Attackers ROOT Access Read the full details on - https://t.co/jejLimxZDe https://t.co/3KtsEqUXDt

    @cyberbivash

    3 Oct 2025

    8 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  32. Linux POSIX CPU Timer Subsystem and vulnerability patch analysis for CVE-2025-38352 ((posix-cpu-timers TOCTOU Race condition)) https://t.co/xr5DhZYS9m Credits @streypaws #infosec #Linux https://t.co/A306jbFBcG

    @0xor0ne

    26 Sept 2025

    338 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. CVE-2025-38352 Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability: Linux kernel contains a time-of-check time-of-use (TOCTOU) race condition vulnerability that has a high impact on confidentiality, integrity, and availability.

    @ZeroDayFacts

    20 Sept 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. تحذير عاجل من جوجل: ثغرتان “Zero-Day” تهددان خصوصية مستخدمي أندرويد اكتشفت جوجل ثغرتين برمجيتين خطيرتين في نظام أندرويد (CVE-2025-38352 & CVE-2025-48543) تُتيحان للقراص

    @EgyptWindowN

    13 Sept 2025

    100 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. 🛡️ Cyber Threat Digest – 2025-09-11 KEV: CVE-2025-38352 — Linux Kernel Time-of-Check Time-of-Use NVD: CVE-2025-10231 — Incorrect File Handling Permission News: DDoS defender targeted in 1.5 Bpps… #cybersecurity #infosec #CVE More: https://t.co/J1fpKfnDnv

    @dpharristech

    11 Sept 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🛡️ Cyber Threat Digest – 2025-09-09 KEV: CVE-2025-38352 — Linux Kernel Time-of-Check Time-of-Use NVD: CVE-2025-22956 — OPSI before 4.3 allows News: Microsoft: Anti-spam bug blocks links in… #cybersecurity #infosec #CVE More: https://t.co/J1fpKfnDnv

    @dpharristech

    9 Sept 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. My research on CVE-2025-38352 (posix-cpu-timers TOCTOU Race condition) which was released in @Android Sept 2025 Bulletin, covering the internals, the patch-fix, vulnerability analysis, and a demo of a PoC that caused a crash in the Android kernel. Blog: https://t.co/ses8onPxiO

    @streypaws

    9 Sept 2025

    8962 Impressions

    35 Retweets

    157 Likes

    82 Bookmarks

    2 Replies

    1 Quote

  38. 🛡️ Cyber Threat Digest – 2025-09-08 KEV: CVE-2025-38352 — Linux Kernel Time-of-Check Time-of-Use NVD: CVE-2025-39727 — In the Linux kernel News: Google to make it easier to… #cybersecurity #infosec #CVE More: https://t.co/J1fpKfnDnv

    @dpharristech

    8 Sept 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. Google has issued its September 2025 security update for Android, addressing 84 vulnerabilities, including two actively exploited zero-days: CVE-2025-38352 (elevation of privilege in the Android kernel) CVE-2025-48543 (Android Runtime bypass) Additional critical fixes include a

    @host1up

    8 Sept 2025

    86 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  40. Google ปล่อยอัปเดตความปลอดภัย Android เดือนกันยายน ซึ่งรวมการแก้ไขช่องโหว่จำนวนมาก และระบุว่ามี ช่องโหว่ Zero-

    @cyber_thailand1

    8 Sept 2025

    0 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 🔴 جوجل تُحذر مستخدمي أندرويد من ثغرتين خطيرتين! - CVE-2025-48543 - CVE-2025-38352 https://t.co/9rdmBCVMoA #تقنية #برمجة #أمن_سيبراني #ذكاء_اصطناعي #تكنولوجيا #ابتكار #تطوير #مستقب

    @AAlkwn46468

    7 Sept 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. 🚨 KeysGuard Alert - Sept 7 🔴 CRITICAL: • GhostRedirector APT: 65+ servers hit • HexStrike-AI weaponized • Sitecore 0-day exploited • Linux CVE-2025-38352 active 📈 AI scams +148% #CyberSecurity #ThreatIntel https://t.co/FaskCRz3ky

    @404LABSx

    7 Sept 2025

    81 Impressions

    0 Retweets

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. 🚨 KeysGuard Alert - Sept 7 🔴 CRITICAL: • GhostRedirector APT: 65+ servers hit • HexStrike-AI weaponized • Sitecore 0-day exploited • Linux CVE-2025-38352 active 📈 AI scams +148% #CyberSecurity #ThreatIntel https://t.co/StcYi64Wf6

    @404LABSx

    7 Sept 2025

    63 Impressions

    0 Retweets

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. أطلقت جوجل تحذيرًا عاجلًا لملايين مستخدمي نظام أندرويد بعد رصد ثغرتين أمنيتين بالغة الخطورة تم استغلالهما بشكل محدود ضد فئات حساسة تشمل صحفيين وناشطين و

    @MontahaNews

    7 Sept 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. Deux failles de sécurité ont été corrigées par Google dans le patch de sécurité Android de septembre 2025. CVE-2025-38352 : Cette faille affecte le noyau Linux au cœur d'Android. CVE-2025-48543 : Cette autre faille concerne l'Android Runtime; l'exécution de Java et Kot

    @mostefaouismail

    7 Sept 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. 🛡️ Cyber Threat Digest – 2025-09-07 KEV: CVE-2025-38352 — Linux Kernel Time-of-Check Time-of-Use NVD: CVE-2025-10034 — vulnerability was found in News: VirusTotal finds hidden malware phishing campaign… #cybersecurity #infosec #CVE More: https://t.co/J1fpKfnDnv

    @dpharristech

    7 Sept 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. 🛡️ Cyber Threat Digest – 2025-09-06 KEV: CVE-2025-38352 — Linux Kernel Time-of-Check Time-of-Use NVD: CVE-2025-10011 — weakness has been identified News: Microsoft now enforces MFA on Azure… #cybersecurity #infosec #CVE More: https://t.co/J1fpKfnDnv

    @dpharristech

    6 Sept 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. Actively exploited CVE : CVE-2025-38352

    @transilienceai

    6 Sept 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  49. In September 2025, Google released a significant Android security update addressing 84 vulnerabilities, including two actively exploited zero-day flaws: CVE-2025-38352 (an elevation of privilege flaw in the Android kernel) and CVE-2025-48543 .

    @pdrajeev_11

    5 Sept 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  50. 🛡️ We added Linux kernel, Android runtime, and Sitecore vulnerabilities CVE-2025-38352, CVE-2025-48543, & CVE-2025-53690 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/dlW52McD9e & apply mitigations to protect your org from cyberattacks. #Cybersec

    @sirjameshackz

    4 Sept 2025

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.