CVE-2025-38352
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-22

Last updated on: 2025-11-04

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-22
Last Modified
2025-11-04
Generated
2026-05-27
AI Q&A
2025-07-22
EPSS Evaluated
2026-05-25
NVD
CVE-2025-38352
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel 6.16
debian debian_linux 11.0
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves a race condition between the functions handle_posix_cpu_timers() and posix_cpu_timer_del(). Specifically, if a non-autoreaping task that has passed exit_notify() calls handle_posix_cpu_timers() from an interrupt request (IRQ), it can be prematurely reaped by its parent or debugger after unlock_task_sighand(). If posix_cpu_timer_del() runs concurrently at that moment, it may fail to detect the timer firing state, causing cpu_timer_task_rcu() and/or lock_task_sighand() to fail. The fix involves adding a check for the task's exit_state in run_posix_cpu_timers() to prevent this race condition.


How can this vulnerability impact me? :

This vulnerability can lead to improper handling of POSIX CPU timers in the Linux kernel, potentially causing race conditions that may result in incorrect task cleanup or timer management. This could lead to system instability, unexpected behavior in applications relying on CPU timers, or debugging difficulties due to premature task reaping.


What immediate steps should I take to mitigate this vulnerability?

Apply the Linux kernel patch that fixes the race condition between handle_posix_cpu_timers() and posix_cpu_timer_del() as described. Specifically, ensure your kernel includes the fix that adds the tsk->exit_state check into run_posix_cpu_timers(). If your kernel is configured with CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, this issue is mitigated by design. Otherwise, update your kernel to a version that includes this fix to prevent the race condition.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart