CVE-2025-38352 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-07-22

Added to CISA KEV: 2025-09-04 44 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Apply kernel patches immediately to affected Linux systems (versions 2.6.36 through various 6.x branches)
Monitor for unusual process behavior and privilege escalation attempts
Implement additional access controls and monitoring for systems that cannot be immediately patched
PATCH PRIORITY: HIGH - Despite local attack vector, active exploitation makes this critical for defense in depth

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-38352 is a security vulnerability identified in the Linux kernel, specifically within the `posix-cpu-timers` implementation ^[2] ^[1].

Vulnerability Overview

The vulnerability is a Time-of-Check Time-of-Use (TOCTOU) race condition ^[4]. It occurs due to a race between `handle_posix_cpu_timers()` and `posix_cpu_timer_del()` ^[2]. Specifically, if an exiting non-autoreaping task passes `exit_notify()` and calls `handle_posix_cpu_timers()` from an interrupt context (IRQ), it can be reaped by its parent or a debugger immediately after `unlock_task_sighand()`, leading to the race condition when `posix_cpu_timer_del()` runs concurrently ^[1].

Exploitation and Impact

Active Exploitation: This vulnerability was identified as being actively exploited in the wild ^[4]. It was notably included in the CISA Known Exploited Vulnerabilities (KEV) catalog in September 2025 ^[4].
Impact: Successful exploitation allows for local escalation of privilege ^[5].
Requirements: Exploitation is local and does not require user interaction ^[5].
Proof-of-Concept: Proof-of-concept (PoC) code has been made available publicly (e.g., on GitHub) ^[3].

Affected Products and Mitigation

Affected Products: The vulnerability affects the Linux kernel, with specific attention drawn to its impact on Android devices, as noted in the September 2025 Android Security Bulletin ^[3] ^[5].
Status: The vulnerability has been resolved in the Linux kernel ^[2]. Users should ensure their systems are updated to the latest kernel versions provided by their respective distributions or device manufacturers to mitigate this risk.

Sources

CVE-2025-38352 - Vulnerability Details - OpenCVE
In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers () and posix_cpu_timer_del () If an exiting non-autoreaping task has already passed exit_notify () and calls handle_posix_cpu_timers () from IRQ, it can be reaped by its par…
GitHub - farazsth98/poc-CVE-2025-38352: This is a proof of concept ...
This is a proof of concept for CVE-2025-38352, a vulnerability in the Linux kernel's POSIX CPU timers implementation. The September 2025 Android Bulletin ... This is a proof of concept for CVE-2025-38352, a vulnerability in the Linux kernel's POSIX CPU timers implementation. The September 2025 A…
CVE-2025-38352 Detail - NVD
Description. In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. ... CVE-2025-…
CISA Adds Three Known Exploited Vulnerabilities to Catalog
CVE-2025-38352 Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability CVE-2025-48543 Android Runtime Unspecified Vulnerability CVE-2025-53690 Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability…
Google fixes actively exploited Android vulnerabilities (CVE-2025 ...
CVE-2025-38352 is a race condition in Android's Linux kernel. Both vulnerabilities could lead to local escalation of privilege with no ...