CVE-2025-68214

MEDIUM EPSS 2.0%
Published Dec 16, 20256mo ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Dec 16, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: timers: Fix NULL function pointer race in timer_shutdown_sync() There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-362

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥6.2  –  <6.6.118
linuxlinux_kernel*≥6.7  –  <6.12.60
linuxlinux_kernel*≥6.13  –  <6.17.10
linuxlinux_kernel6.1.158any
linuxlinux_kernel6.18any
linuxlinux_kernel6.18any
linuxlinux_kernel6.18any
linuxlinux_kernel6.18any
linuxlinux_kernel6.18any
linuxlinux_kernel6.18any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ba43ac025c4318241f8edf94f31d2eebab86991b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ba43ac025c4318241f8edf94f31d2eebab86991b
    Patch