Bug 2382581 (CVE-2025-38352)

Summary: CVE-2025-38352 kernel: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dwb7, michael.h.hall-1
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A race condition was found in the Linux kernel’s POSIX CPU timer handling, where handle_posix_cpu_timers() may run concurrently with posix_cpu_timer_del() on an exiting task which could result in use-after-free scenarios. An attacker with local user access could use this flaw to crash or escalate their privileges on a system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-22 09:01:21 UTC 
In the Linux kernel, the following vulnerability has been resolved:

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().

If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.

Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.

This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.
Comment 1 Michal Findra 2025-07-22 12:10:44 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025072229-CVE-2025-38352-f1de@gregkh/T
Comment 3 Dave B 2025-09-05 20:15:50 UTC 
https://cybersecuritynews.com/cisa-linux-kernel-race-condition-vulnerability/
...
In response to confirmed “in-the-wild” exploitation, CISA’s addition to the KEV catalog triggers a binding operational directive for federal agencies.
...
Comment 6 errata-xmlrpc 2025-09-08 13:34:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15472 https://access.redhat.com/errata/RHSA-2025:15472
Comment 7 errata-xmlrpc 2025-09-08 13:54:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15471 https://access.redhat.com/errata/RHSA-2025:15471
Comment 10 errata-xmlrpc 2025-09-10 15:52:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:15646 https://access.redhat.com/errata/RHSA-2025:15646
Comment 11 errata-xmlrpc 2025-09-10 16:13:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:15647 https://access.redhat.com/errata/RHSA-2025:15647
Comment 12 errata-xmlrpc 2025-09-10 16:18:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:15648 https://access.redhat.com/errata/RHSA-2025:15648
Comment 13 errata-xmlrpc 2025-09-10 17:14:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions

Via RHSA-2025:15649 https://access.redhat.com/errata/RHSA-2025:15649
Comment 14 errata-xmlrpc 2025-09-10 18:23:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:15656 https://access.redhat.com/errata/RHSA-2025:15656
Comment 15 errata-xmlrpc 2025-09-10 18:48:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:15657 https://access.redhat.com/errata/RHSA-2025:15657
Comment 16 errata-xmlrpc 2025-09-10 20:42:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:15658 https://access.redhat.com/errata/RHSA-2025:15658
Comment 17 errata-xmlrpc 2025-09-11 01:48:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:15660 https://access.redhat.com/errata/RHSA-2025:15660
Comment 18 errata-xmlrpc 2025-09-11 03:14:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:15661 https://access.redhat.com/errata/RHSA-2025:15661
Comment 19 errata-xmlrpc 2025-09-11 03:38:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:15662 https://access.redhat.com/errata/RHSA-2025:15662
Comment 20 errata-xmlrpc 2025-09-11 06:28:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:15669 https://access.redhat.com/errata/RHSA-2025:15669
Comment 21 errata-xmlrpc 2025-09-11 06:36:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:15668 https://access.redhat.com/errata/RHSA-2025:15668
Comment 22 errata-xmlrpc 2025-09-11 07:35:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:15670 https://access.redhat.com/errata/RHSA-2025:15670
Comment 23 errata-xmlrpc 2025-09-15 13:27:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:15798 https://access.redhat.com/errata/RHSA-2025:15798
Comment 24 errata-xmlrpc 2025-09-16 08:04:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15921 https://access.redhat.com/errata/RHSA-2025:15921
Comment 25 errata-xmlrpc 2025-09-16 09:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:15931 https://access.redhat.com/errata/RHSA-2025:15931
Comment 26 errata-xmlrpc 2025-09-16 09:03:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:15932 https://access.redhat.com/errata/RHSA-2025:15932
Comment 27 errata-xmlrpc 2025-09-16 09:04:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:15933 https://access.redhat.com/errata/RHSA-2025:15933
Comment 28 errata-xmlrpc 2025-09-16 17:48:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions

Via RHSA-2025:16008 https://access.redhat.com/errata/RHSA-2025:16008
Comment 29 errata-xmlrpc 2025-09-17 07:24:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2025:16045 https://access.redhat.com/errata/RHSA-2025:16045