CVE-2025-38352

What is the Linux Kernel POSIX CPU Timer Subsystem?

POSIX CPU timers are a Linux kernel facility that allows processes to set timers based on consumed CPU time rather than wall clock time — useful for implementing resource limits and performance monitoring. The timer subsystem runs partially in interrupt context (timer expiry handlers) and partially in process context (timer deletion during process exit), creating inherent concurrency that must be carefully synchronized to avoid race conditions.

Overview

CVE-2025-38352 is a time-of-check time-of-use (TOCTOU) race condition (CWE-367) in the Linux kernel's POSIX CPU timer handling in kernel/time/posix-cpu-timers.c. The race occurs between the timer expiry handler (running from interrupt context) and the timer cleanup path executed when a task exits. Successful exploitation can lead to use-after-free, kernel memory corruption, and privilege escalation. The vulnerability was included in Android's September 2025 Security Bulletin marked as "possibly under limited, targeted exploitation," and CISA added it to the KEV catalog the same day the bulletin was published.

Affected Versions

Linux distributions (Debian, Ubuntu, RHEL, etc.) ship individual kernel updates — check your distribution's security advisories.

Technical Details

The race condition is in kernel/time/posix-cpu-timers.c between two concurrent code paths:

• handle_posix_cpu_timers(): runs from interrupt context when a CPU timer fires, iterates over a task's timer list
• posix_cpu_timer_del(): runs when a task exits, cleans up timer structures after unlock_task_sighand() releases the task's signal handler lock

The race window: after unlock_task_sighand() is called during task exit, a parent process or debugger may reap the exiting task immediately, freeing its memory. If handle_posix_cpu_timers() fires in this window, it operates on freed memory — a classic use-after-free via race condition.

The fix adds an if (tsk->exit_state) return; guard in run_posix_cpu_timers() to detect this window and abort timer processing if the task has already begun exiting.

Key characteristics:

• High attack complexity (AC:H) — winning the race window requires precise timing
• No privileges required (PR:N) — any process can create POSIX CPU timers
• Kernel-level impact: memory corruption can be used for privilege escalation to root
• Primarily exploited on Android (attested by the Security Bulletin context)

Discovery

Shreyas Penkar (@StreyPaws) — documented in a technical blog post titled "Race Against Time in the Kernel Clockwork."

Exploitation Context

Google marked this as "possibly under limited, targeted exploitation" in the Android September 2025 Security Bulletin — language consistent with spyware or state-sponsored attacker toolchains. CISA added it to the KEV catalog on September 4, 2025, the same day as Android Runtime UAF CVE-2025-48543, suggesting the two vulnerabilities may have been used together in the same exploit chain (sandbox escape via CVE-2025-48543 + kernel LPE via CVE-2025-38352).

Remediation

1. Apply Android September 2025 security patches (patch level 2025-09-01 or later) on Android 13–16 devices.
2. Update Linux kernel to a version containing commit 2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff or later on server/desktop Linux systems. Check your distribution's security advisory for the patched kernel package version.
3. Prioritize mobile devices — the confirmed exploitation context is Android, and Android devices are more likely to have been actively targeted.
4. Apply the Android Runtime UAF fix (CVE-2025-48543) simultaneously — the two CVEs likely form a sandbox escape + LPE chain.