CVE-2025-38352 · threatengine.sh

Home/CVE/Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability

CVE

CVE-2025-38352

Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability

In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer-it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk-exit_state check into run_posix_cpu_timers() to fix this.

This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk-posix_cputimers_work.work) will fail anyway in this case.

HIGH · CVSS 7.4 ⚠ CISA KEV EPSS 0.00135

Act now

Listed on CISA KEV (known exploited in the wild)
SSVC exploitation status: active
Public exploit or PoC is available
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬢

Required Remediation

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

⬡

Weakness Classification

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition

▤

Affected Products & Versions

9

linux kernel>= 2.6.36 and < 5.4.295
linux kernel>= 5.5 and < 5.10.239
linux kernel>= 5.11 and < 5.15.186
linux kernel>= 5.16 and < 6.1.142
linux kernel>= 6.2 and < 6.6.94
linux kernel>= 6.7 and < 6.12.34
linux kernel>= 6.13 and < 6.15.3
linux kernelall versions
Show all 9 affected productsdebian linuxall versions

⚠

Public Exploits & PoCs

1

pocgithub.com · chronomalygithub.com

▣

Scoring & Timeline

7.4

HIGH · CVSS v3.1 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD22 Jul 2025 · 08:15 AM

CVSS VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC triage · cisa-vulnrichment

Exploitation

active

Automatable

no

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

30

suse-csafSUSE-SU-2026:20635-1
suse-csafSUSE-SU-2026:20644-1
suse-csafSUSE-SU-2026:20645-1
suse-csafSUSE-SU-2026:20455-1
suse-csafSUSE-SU-2026:20456-1
Show all 30 vendor advisoriessuse-csafSUSE-SU-2026:20457-1
suse-csafSUSE-SU-2026:20458-1
suse-csafSUSE-SU-2026:20459-1
suse-csafSUSE-SU-2026:20460-1
suse-csafSUSE-SU-2026:20461-1
suse-csafSUSE-SU-2026:20462-1
suse-csafSUSE-SU-2026:20463-1
suse-csafSUSE-SU-2026:20464-1
suse-csafSUSE-SU-2026:20465-1
suse-csafSUSE-SU-2026:20470-1
suse-csafSUSE-SU-2026:20499-1
suse-csafSUSE-SU-2026:20500-1
suse-csafSUSE-SU-2026:20501-1
suse-csafSUSE-SU-2026:20502-1
suse-csafSUSE-SU-2026:20503-1
suse-csafSUSE-SU-2026:20504-1
suse-csafSUSE-SU-2026:20511-1
suse-csafSUSE-SU-2026:20512-1
suse-csafSUSE-SU-2026:20513-1
suse-csafSUSE-SU-2026:20514-1
suse-csafSUSE-SU-2026:20515-1
suse-csafSUSE-SU-2026:20516-1
suse-csafSUSE-SU-2026:0548-1
suse-csafSUSE-SU-2026:0554-1
suse-csafSUSE-SU-2026:0556-1

🔗

References & Sources

11

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://git.kernel.org/stable/c/2c72fe18cc5f9f1750f5bc148cf1c94c29e106ffPatch

https://git.kernel.org/stable/c/2f3daa04a9328220de46f0d5c919a6c0073a9f0bPatch

https://git.kernel.org/stable/c/460188bc042a3f40f72d34b9f7fc6ee66b0b757bPatch

https://git.kernel.org/stable/c/764a7a5dfda23f69919441f2eac2a83e7db6e5bbPatch

https://git.kernel.org/stable/c/78a4b8e3795b31dae58762bc091bb0f4f74a2200Patch

https://git.kernel.org/stable/c/c076635b3a42771ace7d276de8dc3bc76ee2ba1bPatch

Show all 11 references

https://git.kernel.org/stable/c/c29d5318708e67ac13c1b6fc1007d179fb65b4d7Patch

https://git.kernel.org/stable/c/f90fff1e152dedf52b932240ebbd670d83330ecaPatch

https://lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlMailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlMailing ListThird Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-38352US Government Resource

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin