A proof of concept (PoC) for the CVE-2025-38352 vulnerability, which is related to a critical race condition in the Linux kernel, has just been made public on GitHub.
The vulnerability
which was discovered earlier this year - targets the implementation of the POSIX CPU timers. It was previously used in limited, targeted attacks against 32 bit Android devices.
CVE-2025-38352: There exists a use after free (UAF) vulnerability in the function handle_posix_cpu_timers () of the Linux kernel.
The vulnerability happens because of the disabling of the CONFIG_POSIX_CPU_TIMERS_TASK_WORK configuration flag, which is a setting in most 32 bit Android kernels and absent in 64 bit systems.
The vulnerability arises from a race condition occurring when POSIX CPU timers fire on zombie tasks.
By timing carefully when a zombie process is created, it gets reaped by a parent process, and a timer deletion is triggered, an attacker can have the kernel access already freed memory for privilege escalation or kernel code execution.
Chronomaly Exploit
A security researcher named “Faith” (working with the blockchain security company Zellic) has launched “Chronomaly,” an exploit that affects the Linux kernel versions v5.10.x of the kernel.
The bug was introduced in a technical blog series of three pieces that dealt with the discovery, analysis, and exploitation of the vulnerability.
This is significant in the sense that the exploit does not need the values of kernel symbol offsets or addresses. This makes the attack portable.
It contains efficient race window extension tricks using the CPU timer and a cross cache allocation scheme for the sigqueue structs.
A multi core processor with a minimum of two CPUs is required for the exploit to trigger the race condition.
Testing has confirmed the successful exploitation of the exploit technique on QEMU virtualized Linux kernels version v5.10.157, where the parameters can be adjusted
The vulnerability has been included in the Known Exploited Vulnerabilities Catalog of CISA, which signifies active exploitation.
Although it poses a threat to Android based devices with a kernel of version 3.4 or lower in general, it particularly targets devices running on the Android Operating System with a kernel version of 3.4 or lower
According to the GitHub advisory, users should update to a patched kernel or enable the option CONFIG_POSIX_CPU_TIMERS_TASK_WORK.
The vulnerability was fixed by the upstream Linux kernel patch in commit (f90fff1e152dedf52b932240ebbd670d83330eca), which prevents the processing of a timer on zombie tasks.
The prioritization in the update of the kernel needs to be sharpened by device manufacturers and system administrators, since it indicates a very serious vulnerability.
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
