CVE-2025-38352

HIGH KEV

Linux Kernel - Time-of-check Time-of-use Race Condition in POSIX CPU Timers

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-38352 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 4, 2025. EIP tracks 8 public exploits from researchers including farazsth98, AnalyticETH, adminlove520.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-38352, targeting a race condition in the Linux kernel's POSIX CPU timers. The exploit achieves local privilege escalation (LPE) by manipulating kernel structures through a use-after-free (UAF) vulnerability.

Description

In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.

Exploits (8)

nomisec WORKING POC 273 stars
by farazsth98 · local
https://github.com/farazsth98/chronomaly

This repository contains a functional exploit for CVE-2025-38352, targeting a race condition in the Linux kernel's POSIX CPU timers. The exploit achieves local privilege escalation (LPE) by manipulating kernel structures through a use-after-free (UAF) vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel v5.10.x (specifically tested on v5.10.157)
No auth needed
Prerequisites: Linux kernel v5.10.x with specific config options (e.g., CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n) · QEMU or similar virtualized environment for testing · Multi-core CPU for race condition exploitation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 91 stars
by farazsth98 · local
https://github.com/farazsth98/poc-CVE-2025-38352

This repository contains a proof-of-concept exploit for CVE-2025-38352, a race condition vulnerability in the Linux kernel's POSIX CPU timers implementation. The PoC triggers a use-after-free of a `struct k_itimer` by manipulating CPU timer handling in a multi-threaded environment.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 6.12.33 with CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled
No auth needed
Prerequisites: Linux kernel 6.12.33 · CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled · CONFIG_PREEMPT enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 2 stars
by AnalyticETH · clocal
https://github.com/AnalyticETH/chronomaly-webos

This repository contains a functional exploit for CVE-2025-38352, a local privilege escalation vulnerability in LG webOS kernel 5.4.268-320. The exploit leverages a POSIX CPU timer race condition to achieve use-after-free on a struct sigqueue object, leading to arbitrary kernel write and root privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: LG webOS kernel 5.4.268-320 (ARM64)
Auth required
Prerequisites: Developer Mode SSH access to LG webOS TV · aarch64-linux-gnu-gcc for cross-compilation · SSH key for authentication
devstral-2 · analyzed May 30, 2026 Full analysis →
github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-38352

The repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and functional code.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: TOTOLINK LR350, TOTOLINK T6, Fortinet SSL VPN
No auth needed
Prerequisites: network access to the target device
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Soikoth3010 · poc
https://github.com/Soikoth3010/chronomaly

This repository contains a proof-of-concept exploit for CVE-2025-38352, targeting a vulnerability in Linux kernel version 5.10.x on Android devices. The exploit leverages a race condition to achieve local privilege escalation (LPE) by manipulating timers and signal queues.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 5.10.x on Android
No auth needed
Prerequisites: Android device with vulnerable Linux kernel 5.10.x · Local access to the device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by jordelmir · poc
https://github.com/jordelmir/Elysium-Vanguard-Sentinel-Audit

This repository contains a functional PoC exploit for CVE-2025-38352, targeting an out-of-bounds read/write vulnerability in the KGSL driver on Honor Magic V2 devices. The exploit demonstrates kernel memory access via crafted IOCTL calls and includes a detailed technical writeup.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: KGSL driver on Honor Magic V2 (Snapdragon 8 Gen 2)
Auth required
Prerequisites: shell (UID 2000) privileges · access to /dev/kgsl-3d0
devstral-2 · analyzed Feb 24, 2026 Full analysis →
nomisec SUSPICIOUS
by Soikoth3010 · poc
https://github.com/Soikoth3010/soikoth3010.github.io

The repository lacks actual exploit code and instead directs users to download a precompiled binary from an external release page. The README is marketing-focused with no technical details about CVE-2025-38352.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Linux kernel 5.10.x (Android)
Auth required
Prerequisites: root access · vulnerable kernel version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Crime2 · poc
https://github.com/Crime2/poc-CVE-2025-38352

This repository contains a proof-of-concept exploit for CVE-2025-38352, targeting a vulnerability in the Linux kernel's POSIX CPU timers implementation. The exploit demonstrates a race condition that could allow unauthorized access to system resources.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (POSIX CPU timers)
No auth needed
Prerequisites: Linux system with vulnerable kernel · Basic terminal knowledge
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References

Scores

CVSS v3 7.4
EPSS 0.0014
EPSS Percentile 33.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-09-04
VulnCheck KEV 2025-09-01
ENISA EUVD EUVD-2025-22297
CWE
CWE-367
Status published
Products (28)
debian/debian_linux 11.0
linux/Kernel 2.6.36 - 5.4.295linux
linux/Kernel 5.11.0 - 5.15.186linux
linux/Kernel 5.16.0 - 6.1.142linux
linux/Kernel 5.5.0 - 5.10.239linux
linux/Kernel 6.13.0 - 6.15.3linux
linux/Kernel 6.2.0 - 6.6.94linux
linux/Kernel 6.7.0 - 6.12.34linux
Linux/Linux < 2.6.36
Linux/Linux 0bdd2ed4138ec04e09b4f8165981efc99e439f55 - 2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff
... and 18 more
Published Jul 22, 2025
KEV Added Sep 04, 2025
Tracked Since Feb 18, 2026