Racing the Zombie: PoC Released for Linux Kernel POSIX Timer Vulnerability (CVE-2025-38352)

A vulnerability in the Linux kernel’s implementation of POSIX CPU timers has drawn attention following the release of a working proof-of-concept exploit. The flaw, tracked as CVE-2025-38352, is a classic use-after-free issue affecting the handle_posix_cpu_timers() function, which is responsible for processing expired timers during CPU-level task switching.

At its core, the vulnerability stems from a race condition between resource cleanup for tasks that have entered the zombie state and the removal of the associated timer. When the timer is freed via the RCU mechanism while its structure is still in use, the kernel may end up dereferencing memory that has already been released.

In the exploit demonstration, an auxiliary thread is created with an active timer that fires immediately after the thread transitions into a zombie state. At the same time, the parent process initiates timer removal using ptrace. If these operations align within a narrow timing window, the kernel is forced to access freed memory, enabling corruption of internal kernel data structures.

The research confirms that the vulnerability is relevant only to 32-bit Android devices based on the ARM architecture. More modern systems running 64-bit kernels are protected by the CONFIG_POSIX_CPU_TIMERS_TASK_WORK option, which effectively prevents this class of exploitation. As a result, practical exploitation is confined to specific Android configurations where this safeguard is absent.

Successfully reproducing the proof of concept requires a tightly controlled environment: a Linux kernel version 6.12.33, a multiprocessor setup, and the KASAN memory error detection system disabled. The authors tested multiple configurations and observed characteristic crash signatures indicative of kernel integrity violations.

Although the current exploit code does not yet enable privilege escalation, there is potential for further development using heap exploitation techniques such as cross-cache attacks. Kernel developers have already released patches addressing the issue, and owners of affected devices are strongly advised to install the updated kernel versions as soon as possible to mitigate the risk of exploitation.

Related Posts:

• Researcher Details Zero-Day Linux/Android Kernel Flaw (CVE-2025-38352)
• Report: each device received an average of 50 zombie attacks per day
• Android Security Bulletin – September 2025 Patches Actively Exploited Flaws (CVE-2025-38352 & CVE-2025-48543) and Critical RCE
• Mozilla to End Support for Firefox on 32-bit Linux in 2026
• Steam to End Support for 32-Bit Windows 10