CVE-2025-38352

Warning

Media report

EPSS 0.58%
Published 22.07.2025 08:15:23
Last modified 05.09.2025 14:18:52
Source 416baaa9-dc9f-4396-8d5f-8c081f
Teams watchlist Login
Open Login

In the Linux kernel, the following vulnerability has been resolved:

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().

If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.

Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.

This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.

Affected products Warnungen 1 Metrics 2 CWE 1 References 13

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 2.6.36 < 5.4.295

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.239

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.186

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.142

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.94

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.34

Linux ≫ Linux Kernel Version >= 6.13 < 6.15.3

Linux ≫ Linux Kernel Version6.16 Updaterc1

04.09.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability

Vulnerability

Linux kernel contains a time-of-check time-of-use (TOCTOU) race condition vulnerability that has a high impact on confidentiality, integrity, and availability.

Description

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.58%	0.68

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.4	1.4	5.9	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

https://www.heise.de/news/Angriffe-auf-Luecken-in-Linux-Android-und-Sitecore-10633165.html

Medienbericht

heise Security

https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/

Medienbericht

Krebs on Security

https://git.kernel.org/stable/c/2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff

Patch

https://git.kernel.org/stable/c/2f3daa04a9328220de46f0d5c919a6c0073a9f0b

Patch

https://git.kernel.org/stable/c/460188bc042a3f40f72d34b9f7fc6ee66b0b757b

Patch