External risk intelligence

Linux Kernel CPU Timer Race Condition Vulnerability

CVE advisoryKnown Exploit

CVE-2025-38352

A Linux kernel vulnerability allows for a race condition affecting POSIX CPU timers. This can lead to system instability and data corruption if an exiting task is concurrently managed by timer functions. Organizations should address this to mitigate business risk.

1Halo Surface Signal

Linux Kernel

2.6.36 to before 5.4.2955.5 to before 5.10.2395.11 to before 5.15.1865.16 to before 6.1.1426.2 to before 6.6.946.7 to before 6.12.346.13 to before 6.15.36.1611.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-38352

This is a vulnerability in the Linux kernel regarding internal process management and CPU timers. It is a local kernel-level issue that does not provide a network-reachable surface and is not exposed to the public internet.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The Linux kernel contains a race condition vulnerability within its POSIX CPU timers. This flaw can occur when a task is exiting and simultaneously being managed by CPU timer functions.

  • Linux kernel POSIX CPU timers
  • Race condition in task exit and timer deletion
  • Potential data corruption and system instability

Attack Path

How an attacker could exploit the issue

A race condition in the Linux kernel's handling of POSIX CPU timers can be exploited when a task is exiting. If a specific sequence of events occurs involving the exiting task and a concurrent timer deletion operation, it can lead to failures in critical kernel functions. This can impact system stability and data integrity.

  • Exposure condition: A task is exiting.
  • Attacker starting point: Local system access.
  • Trigger and result: Race condition causes failures.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in the Linux kernel could allow an attacker with local access to disrupt system operations, potentially impacting data confidentiality, integrity, and availability. The exploit requires a specific timing condition during process exit and timer deletion, making it complex to achieve. Organizations should prioritize patching systems to mitigate this risk.

  • Attackers likely need advanced skills.
  • Requires local system access.
  • Potential for high business risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Linux kernel has a resolved race condition vulnerability affecting its POSIX CPU timers. This issue could allow for a task to be unexpectedly reaped, leading to failures in timer deletion operations. Organizations utilizing affected Linux kernel versions should take action to identify and address potential risks.

  • Find affected Linux kernel assets.
  • Isolate risk or reduce exposure.
  • Apply vendor fixes and validate.
  • Monitor for related issues.

Frequently asked questions

What is the software context for CVE-2025-38352, and which products are affected?

CVE-2025-38352 affects the Linux kernel, specifically versions starting from 2.6.36 up to, but not including, 5.4.295, 5.5 through 5.10.239, 5.11 through 5.15.186, 5.16 through 6.1.142, 6.2 through 6.6.94, 6.7 through 6.12.34, and 6.13 through 6.15.3. It also impacts Linux kernel release candidate 6.16 rc1 and Debian Linux 11.0.

How is the vulnerability CVE-2025-38352 decoded, and what is its weakness class?

This vulnerability is a race condition (CWE-367) in the Linux kernel's POSIX CPU timers. It occurs when an exiting task, which has already passed the exit_notify() stage, calls handle_posix_cpu_timers() from an interrupt. If a concurrent posix_cpu_timer_del() operation happens at this exact moment, it can lead to failures in detecting timer status and in acquiring necessary locks, ultimately causing issues with timer management.

What is the trigger path and scope for CVE-2025-38352?

The vulnerability is triggered by a race condition between the exiting of a non-autoreaping task and the deletion of a POSIX CPU timer. The trigger occurs when an exiting task calls handle_posix_cpu_timers() from an IRQ context after passing exit_notify() but before unlock_task_sighand(). A concurrent posix_cpu_timer_del() can then exploit this timing to cause failures. The scope is local, as it affects the Linux kernel's internal process and timer management.

What is the relevance of CVE-2025-38352 based on Halo Surface Signal analysis?

Halo Surface Signal assesses this Linux kernel vulnerability as 'Very unlikely' to be exploited externally. The reasoning is that it's an internal kernel-level issue related to process management and CPU timers, not exposed to the public internet or network-reachable surfaces.

What practical steps should be taken to respond to CVE-2025-38352?

To address this vulnerability, organizations should identify all Linux kernel assets running affected versions. It is recommended to isolate risks or reduce exposure where possible. Applying vendor-provided fixes is crucial, followed by validation to ensure the fix is effective. Continuous monitoring for related issues is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified