Linux Kernel POSIX Timer Use-After-Free Vulnerability (CVE-2025-38352) Exploited with Public PoC
A critical use-after-free vulnerability, tracked as CVE-2025-38352, has been identified in the Linux kernel's POSIX CPU timer implementation. The flaw arises from a race condition in the handle_posix_cpu_timers() function, which can be exploited when a process enters a zombie state and timer structures are prematurely freed while still in use. This vulnerability is particularly impactful on systems with CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled, notably affecting 32-bit Android kernels and Linux LTS 6.12.33.
A proof-of-concept (PoC) exploit for CVE-2025-38352 has been publicly released, demonstrating how attackers can leverage the race condition to trigger kernel memory corruption and potentially escalate privileges locally. The exploit involves creating a POSIX CPU timer, forcing a thread into a zombie state, and deleting the timer at a critical moment to induce a use-after-free scenario. Successful exploitation is evidenced by KASAN memory sanitizer warnings, and the vulnerability poses a significant risk for local privilege escalation on affected Linux systems.
Timeline
Dec 22, 2025
Public PoC exploit released for CVE-2025-38352
A public proof-of-concept exploit was released for CVE-2025-38352, demonstrating exploitation of the Linux kernel POSIX timer vulnerability. The disclosure increased the risk of broader abuse and prompted urgent patching recommendations.
Dec 22, 2025
Targeted exploitation of CVE-2025-38352 reported
Reports indicated that CVE-2025-38352 was being actively exploited in targeted attacks. The flaw particularly raised concern for 32-bit Android devices and systems with CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled.
Dec 22, 2025
Linux kernel patches released for CVE-2025-38352
Kernel patches were released to address CVE-2025-38352, a race condition use-after-free flaw in the Linux kernel's POSIX CPU timer implementation. The vulnerability can lead to kernel memory corruption and possible privilege escalation on affected systems.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Chronomaly Exploit and CVE-2025-38352 Linux Kernel Vulnerability
A critical race condition vulnerability, CVE-2025-38352, affecting the Linux kernel's POSIX CPU timers implementation has been publicly disclosed, with a proof-of-concept (PoC) exploit named 'Chronomaly' released on GitHub. The vulnerability is a use-after-free flaw in the `handle_posix_cpu_timers()` function, primarily impacting 32-bit Android devices where the `CONFIG_POSIX_CPU_TIMERS_TASK_WORK` flag is disabled. Exploitation allows attackers to achieve privilege escalation or execute arbitrary code in the kernel, and the exploit does not require kernel symbol offsets, making it highly portable across different configurations. The exploit leverages advanced race-window extension and cross-cache allocation techniques, requiring a multi-core system for reliable exploitation, and has been successfully demonstrated on QEMU-virtualized Linux kernels running v5.10.157. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild. Security researchers have provided detailed technical analysis and exploitation steps, highlighting the risk to unpatched systems, especially those running vulnerable 32-bit Android kernels. Organizations are urged to review their Linux kernel configurations and apply patches or mitigations to prevent potential privilege escalation attacks stemming from this flaw.
1 months ago
Linux nftables flaw CVE-2023-31248 enables local root via use-after-free
Researchers detailed exploitation of **CVE-2023-31248** in the Linux kernel's `nftables` subsystem, showing how a chain lookup flaw can let local attackers gain root privileges. The bug exists because `nft_chain_lookup_byid` did not verify whether a chain was still active through `genmask` checks, allowing rules in a batch transaction to reference chains deleted in the same batch. That logic error can trigger a **use-after-free** when rule deletion in the control plane races with asynchronous transaction-worker cleanup, creating a path to reclaim freed memory and corrupt kernel objects. The write-up demonstrates an exploit on **Ubuntu 23.04** with kernel `6.2.0-20-generic`, using heap sprays and information leaks to recover kernel text and heap addresses before forging `nftables` structures and building a ROP chain that invokes `prepare_kernel_cred` and `commit_creds` to obtain a root shell. Researchers said kernels before `6.2.0-26-generic` were vulnerable, while upstream fixes added `genmask` validation to chain-by-ID lookups so inactive chains cannot be referenced. The same research also described a separate dormant-state chain hook deactivation bug that can trigger kernel warnings but was assessed as not practically exploitable and patched by blocking repeated dormant-state toggles within a single batch.
2 weeks ago
Linux Kernel Privilege Escalation CVE-2026-31431 Draws Patch and PoC Activity
`CVE-2026-31431` is a Linux kernel flaw classified as **CWE-669: Incorrect Resource Transfer Between Spheres** that can enable local privilege escalation to root and, in some cases, bypass isolation boundaries. The Canadian Centre for Cyber Security warned that the impact becomes more severe when the bug is chained with a remote code execution vulnerability, and urged organizations to identify exposed systems, apply vendor fixes, reboot after kernel updates, restrict access, enforce kernel security controls, monitor logs, and segment high-risk or Internet-facing workloads. Vendor and community activity indicates broad exposure across modern Linux platforms. Red Hat lists **RHEL 8**, **RHEL 9**, **RHEL 10**, and corresponding `kernel-rt` packages as affected, while **RHEL 6** and **RHEL 7** are marked not affected because the vulnerable code is absent. Public exploit interest accelerated after Theori published the **"Copy Fail"** technical write-up and proof-of-concept repository, which references testing on **Ubuntu 24.04 LTS**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16**; Rocky Linux also published related errata, signaling downstream patch availability in enterprise Linux ecosystems.
5 days ago