Ctrl + K
/ news / CVE
CVEPublished 2025-07-221 article on news7 live referencesNVD data

CVE-2025-38352

Vulnerability data via CVEDB (Shodan)

CISA KEVKnown exploited in the wild.
CISA action: Linux kernel contains a time-of-check time-of-use (TOCTOU) race condition vulnerability that has a high impact on confidentiality, integrity, and availability.
CVSS v3.1
7.4
HIGH
EPSS percentile
77
Exploit Prediction Scoring System · top 23% of all CVEs
Description

In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.

Timeline
Published 2025-07-22

External references

NVDMITREExploit-DBGitHub PoCSploitustrickest/cveVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag4 hosts
vuln:CVE-2025-38352
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · OS
os:"Debian Linux"
Hosts Shodan identified as running Debian Linux.
More intel sources (5)
Shodan report
vuln:CVE-2025-38352
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2025-38352
Censys host search filtered to this CVE id.
grep.app
CVE-2025-38352
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2025-38352
GitHub code search for direct mentions.
Google dork
"CVE-2025-38352" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2025-383528 repos
xairy/linux-kernel-exploitationunknown
A collection of links related to Linux kernel security and exploitation
★ 6,503·updated 3w ago
0xor0ne/awesome-listunknown
Cybersecurity oriented awesome list
★ 3,802·updated today
gmh5225/awesome-game-securityPython
awesome game security [Welcome to PR]
★ 3,017·updated 1d ago
farazsth98/chronomalyC
Android kernel exploit for CVE-2025-38352, previously exploited in-the-wild. Targets vulnerable x86_64 Linux kernels v5.10.x.
★ 299·updated 5mo ago
farazsth98/poc-CVE-2025-38352C
This is a proof of concept for CVE-2025-38352, a vulnerability in the Linux kernel's POSIX CPU timers implementation. The September 2025 Android Bulletin mentions that this vulnera…
★ 104·updated 5mo ago
portbuster1337/lpe-toolkitC
Multi-architecture Linux privilege escalation toolkit with 19 pre-built and runtime-compilable exploits. Auto-detects kernel version, filters patched exploits, tries each until roo…
★ 91·updated 4d ago
gocortexio/signalbenchRust
A Rust-based Linux application that generates endpoint telemetry aligned with MITRE ATT&CK techniques for security analytics, research, and training environments.
★ 10·updated 2w ago
sqxy090123/VulnKitJava
★ 7·updated 2mo ago
Articles on news mentioning CVE-2025-38352