PoC Exploit Released for Use-After-Free Vulnerability in Linux Kernel POSIX CPU Timers
A newly discovered vulnerability in the Linux kernel’s POSIX CPU timers has been exposed, with a detailed proof-of-concept demonstrating one of the most sophisticated kernel exploits targeting Android devices.
The vulnerability, identified as CVE-2025-38352, is a use-after-free (UAF) flaw in the Linux kernel’s POSIX CPU timers implementation, which can be exploited by attackers to gain unauthorized access to sensitive information.
Prior to the release of the proof-of-concept, the vulnerability had been reported in limited, targeted attacks on Android devices, but the new proof-of-concept provides a fully functional demonstration of the vulnerability’s mechanics.
The vulnerability exists in the handle_posix_cpu_timers() kernel function, which processes fired timers during CPU scheduler ticks, and occurs when a task transitions to a zombie state, a process state that occurs after a thread exits but before its parent process collects its exit status.
The critical flaw can be exploited by attackers to gain control over the kernel, allowing them to execute arbitrary code and potentially escalate privileges.
Technical Exploitation Mechanics
The attack exploits a race condition between two critical kernel operations, allowing an attacker to reap a zombie task and delete a timer, causing the kernel to free the timer structure via the RCU (Read-Copy-Update) mechanism while it’s still being accessed, creating a classic use-after-free scenario.
To exploit the vulnerability, an attacker must create a child process with a non-main thread that has a POSIX CPU timer set to fire immediately after the thread transitions to zombie state, while a parent process, running via ptrace, reaps the zombie thread and calls timer_delete() simultaneously.
When the race window is won, the freed timer is accessed in handle_posix_cpu_timers(), triggering kernel memory corruption and allowing the attacker to execute arbitrary code.
Notably, this vulnerability exclusively affects 32-bit Android devices, as modern 64-bit Linux kernels and x86 architectures include the CONFIG_POSIX_CPU_TIMERS_TASK_WORK configuration option, which blocks exploitation.
Only 32-bit ARM devices lack this protection, explaining why exploits remain limited to specific Android implementations, and testing requires careful environmental setup, including kernel version 6.12.33, multi-CPU configuration, and disabled KASAN detection.
Researchers demonstrated successful exploitation both with and without kernel address sanitizer, producing distinct crash signatures and validating the triggering methodology of the race condition.
Proof of Concept Details
The working proof-of-concept combines parent-child process coordination through ptrace attachment, multi-threaded synchronization using barriers, and CPU affinity pinning, achieving a success rate of approximately 50% on properly configured systems.
The exploit has been reported by Security Researcher Faraz, and security impact manifests through KASAN-detected slab-use-after-free writes and kernel warnings in send_sigqueue(), demonstrating successful memory corruption within kernel structures.
While current proof-of-concepts remain largely theoretical, researchers note potential for privilege escalation through cross-cache heap exploitation techniques, although extending the limited race window within interrupt context presents engineering challenges.
The Linux kernel community has already deployed patches, and affected systems should prioritize immediate updates to mitigated kernel versions to prevent potential attacks.