PoC for CVE-2025-38352 Linux POSIX CPU Timers Race Condition

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/farazsth98/poc-CVE-2025-38352
• Blog Title: PoC for CVE-2025-38352: Linux POSIX CPU Timers Race Condition
• Suggested Section: 🐧 Linux Hardening -> Linux Privilege Escalation -> Posix Cpu Timers Toctou Cve 2025 38352 (and optionally cross-linked from 🎯 Binary Exploitation -> Linux kernel exploitation - toctou)

🎯 Content Summary

CVE-2025-38352 is a race-condition vulnerability in the Linux kernel’s POSIX CPU timers implementation. The repository farazsth98/poc-CVE-2025-38352 provides a concrete, buildable proof of concept targeting Linux LTS 6.12.33, primarily for Android kernels where the bug has been reported as “limited, targeted exploitation in the wild” in the September 2025 Android security bulletin.

The bug i...

🔧 Technical Details

Abusing race conditions in POSIX CPU timers for kernel memory corruption
CVE-2025-38352 demonstrates that the Linux POSIX CPU timers subsystem can become vulnerable when timer operations are handled synchronously in handle_posix_cpu_timers() and concurrently modified elsewhere. The general trick is: (1) identify a kernel handler that walks timer/task structures with insufficient synchronization; (2) from userspace, spawn threads or processes that rapidly create, arm, disarm, and destroy POSIX CPU timers; and (3) rely on scheduling to overlap those operations with the handler’s traversal so that a timer or task structure is freed or repurposed while still being referenced. In any kernel with similar lifetime/locking issues, this pattern can yield a use-after-free or stale-pointer dereference, which can then be shaped into arbitrary kernel memory corruption and, ultimately, code execution.

Making narrow kernel races reliably expl...

🤖 Agent Actions

Summary:

• Enriched the POSIX CPU Timers TOCTOU page with a step-by-step breakdown of Faith’s poc-CVE-2025-38352 workflow, covering the ptrace-controlled parent/child orchestration, timer configuration, synchronization primitives, and the userland sequence that frees timers while the IRQ handler runs.
• Documented the mdelay-based kernel patch technique for widening the race window in lab builds and highlighted it as a reusable tactic for validating tight kernel races before removing instrumentation.
• Added practical lab guidance on exposing CONFIG_POSIX_CPU_TIMERS_TASK_WORK via Kconfig edits, running multi-core QEMU guests, tuning the PoC’s wait_time, and compiling/running the static trigger; updated the references with the PoC blog and GitHub repository.

Testing:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 935
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/farazsth98/poc-CVE-2025-38352

Content Categories: Based on the analysis, this content was categorized under "🐧 Linux Hardening -> Linux Privilege Escalation -> Posix Cpu Timers Toctou Cve 2025 38352 (and optionally cross-linked from 🎯 Binary Exploitation -> Linux kernel exploitation - toctou)".

Repository Maintenance:

• MD Files Formatting: 935 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0