CVE-2025-38352 – In-the-wild Android Kernel Vulnerability An...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/
• Blog Title: CVE-2025-38352 – In-the-wild Android Kernel Vulnerability Analysis and PoC
• Suggested Section: Linux Hardening -> Linux Privilege Escalation -> Linux kernel exploitation / race conditions (e.g., "Posix Cpu Timers Toctou Cve 2025 38352")

🎯 Content Summary

This post is a detailed, exploit-focused analysis of CVE-2025-38352, a race-condition use-after-free (UAF) in the Linux kernel’s POSIX CPU timers. It explains how the subsystem works, how the race arises between CPU timer handling and timer deletion on an exiting task, and builds a working PoC that reliably triggers the bug, primarily for research against Android kernels lacking CONFIG_POSIX_CPU_TIMERS_TASK_WORK.

Execution context and vulnerable path...

🔧 Technical Details

Race-condition UAF using POSIX CPU timers on zombie tasks
The core trick is to create a race between the kernel’s POSIX CPU timer handling and userland timer deletion on a thread that has already become a zombie. When a per-CPU tick triggers run_posix_cpu_timers(), the kernel calls handle_posix_cpu_timers(), which locks tsk->sighand->siglock, moves ready CPU timers from task structures into a local firing list, then drops the lock and later iterates firing. If the task is in EXIT_ZOMBIE, an attacker can exploit the window after unlock_task_sighand() but before list_for_each_entry_safe() to reap the zombie (via waitpid() so that release_task() sets tsk->sighand = NULL) and then call timer_delete() on the same CPU timer. Because posix_cpu_timer_del() returns 0 even when lock_task_sighand()🤖 Agent Actions

Updated src/linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md with deeper technical coverage of CVE-2025-38352:

• Added detailed analysis of how release_task() + timer_delete() free firing timers, including kernel code snippets and explanation of the RCU-based UAF window.
• Documented the ptrace/waitpid technique for steering zombie reaping, along with configuration guidance for forcing the vulnerable IRQ path (Kconfig toggle, multi-core testbed considerations).
• Expanded the exploitation methodology with a full PoC blueprint: IPC/affinity choreography, calibrated CLOCK_THREAD_CPUTIME_ID timers (with collapsible code sample), race timeline, and optional kernel instrumentation tips.
• Enhanced detection guidance with sanitizer/WARN tracing notes and added new references to the in-depth blog post, GitHub PoC, and upstream fix commit.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 935
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/

Content Categories: Based on the analysis, this content was categorized under "Linux Hardening -> Linux Privilege Escalation -> Linux kernel exploitation / race conditions (e.g., "Posix Cpu Timers Toctou Cve 2025 38352")".

Repository Maintenance:

• MD Files Formatting: 935 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0