Skip to content

OSG-SEC-2025-09-11 CRITICAL linux-kernel: CRITICAL risk vulnerability concerning Linux kernel allowing local privilege escalation,CVE-2025-38352

Dear OSG Security Contacts,

A race condition was found in the Linux kernel’s POSIX CPU timer handling, where handle_posix_cpu_timers() may run concurrently with posix_cpu_timer_del() on an exiting task which could result in use-after-free scenarios. An attacker with local user access could use this flaw to crash or escalate their privileges on a system. Also there is a known exploit.

Exploitation of this flaw could allow an attacker with local user access to: Cause a denial of service by crashing the kernel. Potentially escalate privileges to root

IMPACTED VERSIONS:

RHEL 7ELS,8,9,10 and derivatives.

WHAT ARE THE VULNERABILITIES:

The Linux kernel has a bug in the way it handles POSIX CPU timers. Two parts of the kernel (handle_posix_cpu_timers() and posix_cpu_timer_del()) can sometimes run at the same time when a process is exiting. This causes a race condition — one part of the kernel thinks memory is still in use, while the other part has already freed it. That creates a use-after-free bug.

Attack Preconditions:

Any valid, unprivileged user account. The kernel must have POSIX timers enabled (CONFIG_POSIX_TIMERS=y). Race Condition Trigger:The attacker needs to reliably trigger the timing window where memory is freed but still in use. Kernels with CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y reduce the race window, but are still patched for defense-in-depth.

WHAT YOU SHOULD DO:

Upgrade to secure packages as they become available.

REFERENCES

  • [1] https://access.redhat.com/errata/RHSA-2025:15471
  • [2] https://access.redhat.com/errata/RHSA-2025:15661
  • [3] https://bugzilla.redhat.com/show_bug.cgi?id=2382581
  • [4] https://access.redhat.com/security/cve/cve-2025-3835
  • [5] https://nvd.nist.gov/vuln/detail/CVE-2025-38352
  • [6] https://www.cve.org/CVERecord?id=CVE-2025-38352
  • [7] https://ubuntu.com/security/CVE-2025-38352
  • [8] https://errata.almalinux.org/8/ALSA-2025-15471.html

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team