|
| 1 | +# OSG-SEC-2025-09-11 CRITICAL linux-kernel: CRITICAL risk vulnerability concerning Linux kernel allowing local privilege escalation,CVE-2025-38352 |
| 2 | + |
| 3 | +Dear OSG Security Contacts, |
| 4 | + |
| 5 | +A race condition was found in the Linux kernel’s POSIX CPU timer handling, where handle_posix_cpu_timers() may run concurrently with posix_cpu_timer_del() on an exiting task which could result in use-after-free scenarios. An attacker with local user access could use this flaw to crash or escalate their privileges on a system. Also there is a known exploit. |
| 6 | + |
| 7 | +Exploitation of this flaw could allow an attacker with local user access to: |
| 8 | +Cause a denial of service by crashing the kernel. |
| 9 | +Potentially escalate privileges to root |
| 10 | + |
| 11 | + |
| 12 | + |
| 13 | +## IMPACTED VERSIONS: |
| 14 | + |
| 15 | +RHEL 7ELS,8,9,10 and derivatives. |
| 16 | + |
| 17 | +## WHAT ARE THE VULNERABILITIES: |
| 18 | +The Linux kernel has a bug in the way it handles POSIX CPU timers. Two parts of the kernel (handle_posix_cpu_timers() and posix_cpu_timer_del()) can sometimes run at the same time when a process is exiting. |
| 19 | +This causes a race condition — one part of the kernel thinks memory is still in use, while the other part has already freed it. That creates a use-after-free bug. |
| 20 | +## Attack Preconditions: |
| 21 | +Any valid, unprivileged user account. |
| 22 | +The kernel must have POSIX timers enabled (CONFIG_POSIX_TIMERS=y). |
| 23 | +Race Condition Trigger:The attacker needs to reliably trigger the timing window where memory is freed but still in use. |
| 24 | +Kernels with CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y reduce the race window, but are still patched for defense-in-depth. |
| 25 | +## WHAT YOU SHOULD DO: |
| 26 | + |
| 27 | +Upgrade to secure packages as they become available. |
| 28 | + |
| 29 | +## REFERENCES |
| 30 | +- [1] https://access.redhat.com/errata/RHSA-2025:15471 |
| 31 | +- [2] https://access.redhat.com/errata/RHSA-2025:15661 |
| 32 | +- [3] https://bugzilla.redhat.com/show_bug.cgi?id=2382581 |
| 33 | +- [4] https://access.redhat.com/security/cve/cve-2025-3835 |
| 34 | +- [5] https://nvd.nist.gov/vuln/detail/CVE-2025-38352 |
| 35 | +- [6] https://www.cve.org/CVERecord?id=CVE-2025-38352 |
| 36 | +- [7] https://ubuntu.com/security/CVE-2025-38352 |
| 37 | +- [8] https://errata.almalinux.org/8/ALSA-2025-15471.html |
| 38 | + |
| 39 | + |
| 40 | + |
| 41 | +Please contact the OSG security team at security@osg-htc.org if you have any questions or concerns. |
| 42 | + |
| 43 | +OSG Security Team |
0 commit comments