CVE-2025-68214

EPSS 0.01%
Veröffentlicht 16.12.2025 13:57:09
Zuletzt bearbeitet 26.02.2026 15:52:56
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

timers: Fix NULL function pointer race in timer_shutdown_sync()

There is a race condition between timer_shutdown_sync() and timer
expiration that can lead to hitting a WARN_ON in expire_timers().

The issue occurs when timer_shutdown_sync() clears the timer function
to NULL while the timer is still running on another CPU. The race
scenario looks like this:

CPU0					CPU1
					<SOFTIRQ>
					lock_timer_base()
					expire_timers()
					base->running_timer = timer;
					unlock_timer_base()
					[call_timer_fn enter]
					mod_timer()
					...
timer_shutdown_sync()
lock_timer_base()
// For now, will not detach the timer but only clear its function to NULL
if (base->running_timer != timer)
	ret = detach_if_pending(timer, base, true);
if (shutdown)
	timer->function = NULL;
unlock_timer_base()
					[call_timer_fn exit]
					lock_timer_base()
					base->running_timer = NULL;
					unlock_timer_base()
					...
					// Now timer is pending while its function set to NULL.
					// next timer trigger
					<SOFTIRQ>
					expire_timers()
					WARN_ON_ONCE(!fn) // hit
					...
lock_timer_base()
// Now timer will detach
if (base->running_timer != timer)
	ret = detach_if_pending(timer, base, true);
if (shutdown)
	timer->function = NULL;
unlock_timer_base()

The problem is that timer_shutdown_sync() clears the timer function
regardless of whether the timer is currently running. This can leave a
pending timer with a NULL function pointer, which triggers the
WARN_ON_ONCE(!fn) check in expire_timers().

Fix this by only clearing the timer function when actually detaching the
timer. If the timer is running, leave the function pointer intact, which is
safe because the timer will be properly detached when it finishes running.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.118

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.60

Linux ≫ Linux Kernel Version >= 6.13 < 6.17.10

Linux ≫ Linux Kernel Version6.1.158

Linux ≫ Linux Kernel Version6.18 Updaterc1

Linux ≫ Linux Kernel Version6.18 Updaterc2

Linux ≫ Linux Kernel Version6.18 Updaterc3

Linux ≫ Linux Kernel Version6.18 Updaterc4

Linux ≫ Linux Kernel Version6.18 Updaterc5

Linux ≫ Linux Kernel Version6.18 Updaterc6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.01

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.7	1	3.6	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a

Patch

https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914

Patch

https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585

Patch

https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a

Patch

https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c

Patch

https://git.kernel.org/stable/c/ba43ac025c4318241f8edf94f31d2eebab86991b

Patch