CVE-2025-38352
published 2025-07-22CVE-2025-38352: In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If…
high7.4CVSS 3.1
AVLACHPRNUINSUCHIHAH
KEV
CISA Known Exploited Vulnerabilitydue 2025-09-25
In the Linux kernel, the following vulnerability has been resolved:
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().
If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.
Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.
This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| android | — | — | |
| linux | linux | — | — |
| linux | linux | >= 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < 78a4b8e3795b31dae58762bc091bb0f4f74a2200 | 78a4b8e3795b31dae58762bc091bb0f4f74a2200 |
| linux | linux | >= 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < c076635b3a42771ace7d276de8dc3bc76ee2ba1b | c076635b3a42771ace7d276de8dc3bc76ee2ba1b |
| linux | linux | >= 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < 2f3daa04a9328220de46f0d5c919a6c0073a9f0b | 2f3daa04a9328220de46f0d5c919a6c0073a9f0b |
| linux | linux | >= 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < 764a7a5dfda23f69919441f2eac2a83e7db6e5bb | 764a7a5dfda23f69919441f2eac2a83e7db6e5bb |
| linux | linux | >= 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < 2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff | 2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff |
| linux | linux | >= 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < c29d5318708e67ac13c1b6fc1007d179fb65b4d7 | c29d5318708e67ac13c1b6fc1007d179fb65b4d7 |
| linux | linux | >= 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < 460188bc042a3f40f72d34b9f7fc6ee66b0b757b | 460188bc042a3f40f72d34b9f7fc6ee66b0b757b |
| linux | linux | >= 0bdd2ed4138ec04e09b4f8165981efc99e439f55 < f90fff1e152dedf52b932240ebbd670d83330eca | f90fff1e152dedf52b932240ebbd670d83330eca |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.35-1 | 6.12.35-1 |
| linux | linux_kernel | >= 0 < 6.12.35-1 | 6.12.35-1 |
| linux | linux_kernel | >= 0 < 5.15.0-156.166 | 5.15.0-156.166 |
| linux | linux_kernel | >= 0 < 6.8.0-87.88 | 6.8.0-87.88 |
| linux | linux_kernel | >= 0 < 3.13.0-210.261 | 3.13.0-210.261 |
| linux | linux_kernel | >= 0 < 4.4.0-274.308 | 4.4.0-274.308 |
| linux | linux_kernel | >= 0 < 4.15.0-243.255 | 4.15.0-243.255 |
| linux | linux_kernel | >= 0 < 5.4.0-223.243 | 5.4.0-223.243 |
| linux | linux_kernel | >= 2.6.36 < 5.4.295 | 5.4.295 |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.4HIGH
cisa7.4HIGH