CVE-2025-38352

설명

In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fi...

영향 제품·버전

공급사 Linux

제품 Kernel

영향 버전 0bdd2ed4138ec04e09b4f8165981efc99e439f55, 2.6.36, >= 2.6.36 < 5.4.295, >= 5.5 < 5.10.239, >= 5.11 < 5.15.186, >= 5.16 < 6.1.142, >= 6.2 < 6.6.94, >= 6.7 < 6.12.34, >= 6.13 < 6.15.3, 6.16, 11.0

수정 버전 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.94, 6.12.34, 6.15.3

조치 방법

• 공급사가 제공한 최신 보안 업데이트 적용
• 자사 보유 제품과 영향 버전의 일치 여부 확인
• 외부 노출 서비스와 비정상 인증·접속 로그 점검
• 패치가 어려우면 공급사 완화조치와 접근통제 적용

기술 정보

CVSS 벡터 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE CWE-367

KEV 등록일 2025.09.04

랜섬웨어 캠페인 사용 미확인

CISA 비고 This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff ; https://source.android.com/docs/security/bulletin/2025-09-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-38352

EPSS 데이터 기준일 2026.06.27