A critical Android kernel vulnerability that Google warned was being actively exploited has been thoroughly dissected by security researcher StreyPaws, revealing how attackers could potentially escalate privileges through a sophisticated timing attack.
CVE-2025-38352, patched in Google's September 2025 Android Security Bulletin, stems from a Time-of-Check to Time-of-Use (TOCTOU) race condition in the Linux kernel's POSIX CPU timer subsystem. The flaw affects the critical timing mechanisms that track processor usage across Android devices.
The vulnerability emerges when two threads simultaneously interact during task termination—one handling timer expiration and another attempting timer deletion. In a newly published technical analysis, StreyPaws explains how this creates a narrow but exploitable race window.
"The specific race window occurs when an exiting task passes through exit_notify and enters handle_posix_cpu_timers from IRQ context," the researcher detailed. "If at that same moment a concurrent posix_cpu_timer_del executes, it may fail to detect that the timer is currently firing."
This synchronisation failure can lead to use-after-free conditions when the system attempts to access freed memory structures, potentially causing kernel crashes or enabling privilege escalation if attackers can control the freed memory contents.
The researcher successfully reproduced the vulnerability in controlled Android kernel emulation environments, demonstrating crashes on both standard and task-work-enabled kernel configurations. The testing required reverting Google's security patch and carefully timing concurrent operations to trigger the race condition.
Google's fix adds a simple but effective check for task exit state before processing timers, eliminating the race window entirely. The patch ensures that timer deletion operations cannot miss active firing states during concurrent task cleanup.
Immediate Impact: While Google hasn't disclosed specific exploitation details, the "limited, targeted" nature suggests sophisticated attackers were already leveraging this flaw. Users should prioritise installing September 2025 Android security updates if available for their devices.