How to become a “god” in Linux just by timing things right.
If you have a 32‑bit Linux or Android system lying around somewhere, now is a good time to check its configuration and kernel updates.
If you have a 32‑bit Linux or Android system lying around somewhere, now is a good time to check its configuration and kernel updates.
An image
A vulnerability has been discovered in Linux where exploitation only requires catching a very short timing window—and the kernel itself starts working with already freed memory. This is no longer just a theory. A working PoC exploit for CVE‑2025‑38352 (CVSS score: 7.4) has been published on GitHub, demonstrating that the issue is genuinely practical for privilege escalation.
CVE‑2025‑38352 affects the implementation of POSIX CPU timers and is a use‑after‑free bug in the function handle_posix_cpu_timers(). The bug only manifests in configurations where the CONFIG_POSIX_CPU_TIMERS_TASK_WORK option is disabled. This setup is common in 32‑bit Android kernels, whereas 64‑bit systems typically use a different configuration, making the vulnerability non‑reproducible there.
The core of the problem is a race condition that occurs when POSIX CPU timers fire on so‑called zombie tasks. If process zombification, reaping by the parent process, and timer deletion are synchronized with very precise timing, the kernel may access memory that has already been freed. In the worst case, this opens the door to privilege escalation or even arbitrary code execution in kernel space.
The exploit has been named Chronomaly. It was published by a researcher named Faith, who works at Zellic. Alongside the code, a detailed three‑part technical write‑up was released, covering the discovery of the vulnerability, its analysis, and practical exploitation techniques. It is specifically noted that Chronomaly does not require prior knowledge of kernel symbol offsets or fixed memory addresses, making it more “portable” and less tied to a specific kernel build.
To reliably hit the required race window, the exploit needs a multicore CPU with at least two cores. The write‑up includes test results on QEMU running Linux kernel 5.10.157, and the parameters can be tuned for different environments. Internally, the exploit uses techniques to widen the race window via CPU timer manipulation and allocator cache‑shaping strategies, including for sigqueue structures.
Importantly, the vulnerability has already been added to the list of actively exploited issues, meaning it is associated with real‑world exploitation cases. While the primary risk is currently linked to 32‑bit Android devices, the affected components also exist in 32‑bit builds of other Linux‑like systems, so it would be a mistake to dismiss the problem as limited to “old phones.”
The recommendation is standard, but especially urgent this time: update to a kernel that includes the fix, or enable CONFIG_POSIX_CPU_TIMERS_TASK_WORK if possible in your build. The fix is already available and was introduced by commit f90fff1e152dedf52b932240ebbd670d83330eca, which blocks timer handling on zombie tasks. Device manufacturers and system administrators should prioritize deploying updates before Chronomaly turns into a universal tool for large‑scale attacks.
