CVE-2025-68214
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: timers: Fix NULL function pointer race in timer_shutdown_sync() There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2026-02-26
Generated
2026-05-06
AI Q&A
2025-12-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68214
EUVD
EUVD-2025-203682
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel From 6.13 (inc) to 6.17.10 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.60 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.118 (exc)
linux linux_kernel 6.1.158
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's timer system, specifically in the function timer_shutdown_sync(). The issue arises because timer_shutdown_sync() clears the timer's function pointer to NULL even if the timer is still running on another CPU. This can cause a pending timer to have a NULL function pointer, which leads to a WARN_ON_ONCE(!fn) warning in the expire_timers() function. The root cause is that the timer function pointer is cleared prematurely, potentially while the timer is still executing, causing unsafe behavior. The fix involves only clearing the timer function pointer when the timer is actually detached, ensuring safety by leaving the function pointer intact if the timer is running.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to hit a WARN_ON warning due to a NULL function pointer in a running timer, which may lead to instability or unexpected behavior in the system's timer management. While the description does not explicitly state the full impact, such race conditions can potentially cause kernel warnings, crashes, or degraded system reliability, especially in multi-CPU environments where timers are active.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to update the Linux kernel to a version where the fix has been applied. The fix ensures that the timer function pointer is only cleared when the timer is actually detached, preventing the race condition. Until the update is applied, avoid running workloads that heavily use timers in a way that could trigger this race condition.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart