Chronomaly Exploit and CVE-2025-38352 Linux Kernel Vulnerability
A critical race condition vulnerability, CVE-2025-38352, affecting the Linux kernel's POSIX CPU timers implementation has been publicly disclosed, with a proof-of-concept (PoC) exploit named 'Chronomaly' released on GitHub. The vulnerability is a use-after-free flaw in the handle_posix_cpu_timers() function, primarily impacting 32-bit Android devices where the CONFIG_POSIX_CPU_TIMERS_TASK_WORK flag is disabled. Exploitation allows attackers to achieve privilege escalation or execute arbitrary code in the kernel, and the exploit does not require kernel symbol offsets, making it highly portable across different configurations. The exploit leverages advanced race-window extension and cross-cache allocation techniques, requiring a multi-core system for reliable exploitation, and has been successfully demonstrated on QEMU-virtualized Linux kernels running v5.10.157.
The vulnerability has been added to CISA’s Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild. Security researchers have provided detailed technical analysis and exploitation steps, highlighting the risk to unpatched systems, especially those running vulnerable 32-bit Android kernels. Organizations are urged to review their Linux kernel configurations and apply patches or mitigations to prevent potential privilege escalation attacks stemming from this flaw.
Timeline
Jan 7, 2026
CISA adds CVE-2025-38352 to the KEV catalog
CISA added CVE-2025-38352 to its Known Exploited Vulnerabilities Catalog, reflecting confirmed exploitation and elevating the urgency of remediation. This formalized the vulnerability's status as an actively exploited security issue.
Jan 7, 2026
Upstream patch is released for CVE-2025-38352
An upstream fix was released to address CVE-2025-38352 in the Linux kernel. Administrators and device makers were advised to update to patched kernels or enable CONFIG_POSIX_CPU_TIMERS_TASK_WORK as a mitigation.
Jan 7, 2026
Exploitation of CVE-2025-38352 is reported in the wild
Reports said CVE-2025-38352 was being actively exploited, primarily against 32-bit Android devices, and that the Chronomaly exploit could grant root access on vulnerable Linux kernels. The issue was also noted as potentially affecting other 32-bit Linux-based systems.
Jan 7, 2026
Chronomaly exploit is released publicly on GitHub
Security researcher Faith from Zellic released a working exploit named Chronomaly for CVE-2025-38352. The exploit was described as portable across kernel configurations because it does not require kernel symbol offsets or fixed memory addresses.
Jan 7, 2026
CVE-2025-38352 is disclosed as a Linux kernel UAF flaw
A critical use-after-free vulnerability in the Linux kernel's POSIX CPU timers implementation, tracked as CVE-2025-38352, was publicly disclosed. The flaw affects systems where CONFIG_POSIX_CPU_TIMERS_TASK_WORK is disabled and can enable privilege escalation or kernel code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Linux Kernel POSIX Timer Use-After-Free Vulnerability (CVE-2025-38352) Exploited with Public PoC
A critical use-after-free vulnerability, tracked as CVE-2025-38352, has been identified in the Linux kernel's POSIX CPU timer implementation. The flaw arises from a race condition in the `handle_posix_cpu_timers()` function, which can be exploited when a process enters a zombie state and timer structures are prematurely freed while still in use. This vulnerability is particularly impactful on systems with `CONFIG_POSIX_CPU_TIMERS_TASK_WORK` disabled, notably affecting 32-bit Android kernels and Linux LTS 6.12.33. A proof-of-concept (PoC) exploit for CVE-2025-38352 has been publicly released, demonstrating how attackers can leverage the race condition to trigger kernel memory corruption and potentially escalate privileges locally. The exploit involves creating a POSIX CPU timer, forcing a thread into a zombie state, and deleting the timer at a critical moment to induce a use-after-free scenario. Successful exploitation is evidenced by KASAN memory sanitizer warnings, and the vulnerability poses a significant risk for local privilege escalation on affected Linux systems.
1 months ago
Linux Kernel Privilege Escalation CVE-2026-31431 Draws Patch and PoC Activity
`CVE-2026-31431` is a Linux kernel flaw classified as **CWE-669: Incorrect Resource Transfer Between Spheres** that can enable local privilege escalation to root and, in some cases, bypass isolation boundaries. The Canadian Centre for Cyber Security warned that the impact becomes more severe when the bug is chained with a remote code execution vulnerability, and urged organizations to identify exposed systems, apply vendor fixes, reboot after kernel updates, restrict access, enforce kernel security controls, monitor logs, and segment high-risk or Internet-facing workloads. Vendor and community activity indicates broad exposure across modern Linux platforms. Red Hat lists **RHEL 8**, **RHEL 9**, **RHEL 10**, and corresponding `kernel-rt` packages as affected, while **RHEL 6** and **RHEL 7** are marked not affected because the vulnerable code is absent. Public exploit interest accelerated after Theori published the **"Copy Fail"** technical write-up and proof-of-concept repository, which references testing on **Ubuntu 24.04 LTS**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16**; Rocky Linux also published related errata, signaling downstream patch availability in enterprise Linux ecosystems.
5 days ago
Active Exploitation of Windows Kernel Privilege Escalation Vulnerability CVE-2025-62215
Microsoft has disclosed a critical elevation-of-privilege vulnerability in the Windows Kernel, tracked as CVE-2025-62215, which is being actively exploited in the wild. The flaw arises from a race condition and improper memory management, specifically a double-free scenario, allowing local attackers to escalate privileges to SYSTEM level. Exploitation requires an attacker to already have access to the system, but no user interaction is needed, and the attack can be automated. Microsoft has rated the vulnerability as Important, with a CVSS score of 7.0, and notes that all supported Windows 10 editions are affected, including those under Extended Security Updates (ESU). No workaround is available other than applying the official update, and immediate patching is strongly recommended. The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-415 (Double Free), making it a classic post-compromise privilege escalation vector. Attackers can exploit the timing-sensitive memory corruption path in the kernel to gain elevated access, disable security defenses, and move laterally within networks. The attack surface is particularly concerning in enterprise environments where multiple users share access, as any authenticated user can potentially trigger the exploit. Security experts warn that both targeted threat actors and ransomware operators may leverage this flaw to deepen their foothold after initial access, emphasizing the urgency of deploying the security update across all affected systems.
1 months ago