CVE-2025-38352: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38352 is a vulnerability discovered in the Linux kernel, specifically related to a race condition between handleposixcputimers() and posixcputimerdel() functions. The vulnerability was disclosed on July 22, 2025 (NVD).

The vulnerability occurs when an exiting non-autoreaping task that has already passed exitnotify() calls handleposixcputimers() from IRQ. At this point, the task can be reaped by its parent or debugger right after unlocktasksighand(). If a concurrent posixcputimerdel() runs simultaneously, it fails to detect timer->it.cpu.firing != 0 because cputimertaskrcu() and/or locktasksighand() will fail. According to Rapid7's assessment, this vulnerability has been assigned a CVSS score of 7.0 with vector (AV:N/AC:M/Au:N/C:N/I:N/A:C) (Rapid7).

The vulnerability affects multiple versions of the Linux kernel across different distributions. According to the Debian Security Tracker, several versions were found to be vulnerable, including Linux 5.10.223-1 in Bullseye, 6.1.137-1 in Bookworm, and 6.12.31-1 in Trixie (Debian Tracker).

The issue has been fixed by adding a tsk->exitstate check into runposixcputimers(). This fix is not required if CONFIGPOSIXCPUTIMERSTASKWORK=y, as exittaskwork() is called before exitnotify(). However, the check is still implemented as taskworkadd(&tsk->posixcputimerswork.work) would fail in this case anyway. Fixed versions include Linux kernel 6.12.38-1 in Debian sid and trixie releases (Debian Tracker).