[LINPEAS] Add privilege escalation check: CVE-2025-38352 – In-the-wild Android Ker...

[carlospolop]

🔧 Automated Privilege Escalation Check Addition

🤔 Privilege Escalation Reasoning

The blog post analyzes CVE-2025-38352, a Linux kernel race-condition use-after-free in POSIX CPU timers, and provides a working PoC designed for Android/Linux kernels that lack CONFIG_POSIX_CPU_TIMERS_TASK_WORK. This is a generic, upstream Linux kernel bug (not a CTF-only misconfiguration or custom script) that is known to have been exploited in the wild, and the PoC is usable for local kernel privilege escalation on affected systems. Although the post focuses on Android targets, the vulnerable code path and configuration options are in mainline Linux and the author tested on a stock LTS kernel (6.12.33) compiled without CONFIG_POSIX_CPU_TIMERS_TASK_WORK, which is a realistic configuration in some mobile and embedded environments. linpeas already includes checks and references for known kernel LPE CVEs; adding awareness of this CVE and its configuration-related preconditions fits that model. The post describes conditions and configs to check (kernel version ranges, CONFIG_POSIX_CPU_TIMERS_TASK_WORK, presence of the fixing commit f90fff1e152dedf52b932240ebbd670d83330eca), and links a public PoC repository. This is not an abuse of a one-off local binary or bespoke configuration but a widely deployed kernel subsystem bug that can be used for privileged escalation from an unprivileged context to kernel code execution on vulnerable kernels.

🤖 Implementation Details

PEASS linpeas agent completed successfully with 107 items. Agent Comment: Summary:

• Added a new linPEAS module (1_system_information/18_CVE_2025_38352.sh) that reports kernel release, a sanitized comparable version, the discovered CONFIG_POSIX_CPU_TIMERS_TASK_WORK setting (pulled from any readable kernel config), and a heuristic patch-status indicator. It highlights high‑risk situations when task_work is disabled and the kernel is still on a <6.12.34 build, and downgrades the warning when the fix is expected or when task_work is enabled.
• The module includes a lightweight version parser and comparison helper so it can reason about 6.12.x builds even when the release string contains distro suffixes, and it color-codes each line (config, patch status, risk) to match existing linPEAS UX.
• Updated linPEAS/README.md with a short “Dec 2025 update” note so users know linpeas now surfaces CVE‑2025‑38352 exposure automatically.

Tests:

• sh -n linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38352.sh

The new check relies on the documented exploit preconditions (task_work disabled and lack of the upstream fix), so it stays fast, generic, and avoids digging through the entire filesystem.

🏗️ Builder Agent Response

LinPEAS build agent completed successfully with 29 items. Agent Comment: ✅ Build fixed and verified

What was done

• Updated the metadata header in linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38352.sh to declare every $cve38352_* variable that the module creates under “Generated Global Variables.”
  • This satisfies the LinPEAS builder’s validation step, which requires each generated global variable to be explicitly listed.

Tests performed

• python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh (executed from /tmp/hacktricks_update_tv3dmi9b/repo/linPEAS) — ✅ build completed successfully and produced /tmp/linpeas_fat.sh.

Everything is now building cleanly with the requested command.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the implementation carefully and test thoroughly before merging.