Chronomaly Unleashed: The Race Condition Exploit Giving Root to 32-bit Linux

A critical vulnerability has been unearthed within the Linux kernel, requiring only a fleeting temporal window for exploitation before the kernel erroneously interacts with deallocated memory. This is no longer a mere theoretical abstraction; a functional Proof-of-Concept (PoC) exploit for CVE-2025-38352 (boasting a CVSS score of 7.4) has surfaced on GitHub, demonstrating that the flaw is eminently viable for local privilege escalation.

Specifically, CVE-2025-38352 resides within the implementation of POSIX CPU timers, manifesting as a use-after-free (UAF) condition in the handle_posix_cpu_timers() function. This vulnerability emerges exclusively in configurations where the CONFIG_POSIX_CPU_TIMERS_TASK_WORK flag is disabled—a setting prevalent in 32-bit Android kernels, whereas 64-bit systems typically employ a disparate configuration that remains unaffected.

The core of the malaise is a race condition triggered when POSIX CPU timers expire on so-called “zombie tasks.” By precisely synchronizing the creation of a zombie process, its reaping by the parent, and the deletion of the timer, the kernel may access memory that has already been relinquished. In the most dire scenarios, this paves the way for elevated privileges or the execution of arbitrary code with kernel-level authority.

The exploit, christened Chronomaly, was released by a researcher known as Faith from the cybersecurity firm Zellic. Accompanying the code is a comprehensive three-part technical treatise detailing the discovery, analysis, and practical exploitation of the flaw. Notably, Chronomaly does not necessitate prior knowledge of kernel symbol offsets or fixed memory addresses, rendering it remarkably portable across various builds.

To reliably capture the requisite racing window, the exploit demands a multi-core processor with at least two CPUs. Testing was conducted on QEMU with Linux kernel 5.10.157, though parameters can be calibrated for diverse environments. The methodology involves distending the race window through CPU timer manipulation and utilizing heap-grooming strategies to influence object allocation, particularly for sigqueue structures.

Significantly, this vulnerability has been integrated into catalogs of actively exploited flaws, suggesting its deployment in real-world incursions. While the primary risk is tethered to 32-bit Android devices, the affected components persist in other 32-bit Linux-based systems, meaning the threat should not be dismissed as a legacy mobile issue.

The remedial mandate is standard yet extraordinarily urgent: transition to a patched kernel or enable the CONFIG_POSIX_CPU_TIMERS_TASK_WORK flag where feasible. The fix, implemented via commit f90fff1e152dedf52b932240ebbd670d83330eca, effectively prohibits timer processing on zombie tasks. Device manufacturers and system administrators are urged to prioritize these updates before Chronomaly evolves into a ubiquitous instrument for mass exploitation.