CVE-2025-68214 (GCVE-0-2025-68214)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-05-23 16:02
VLAI
Title
timers: Fix NULL function pointer race in timer_shutdown_sync()
Summary
In the Linux kernel, the following vulnerability has been resolved: timers: Fix NULL function pointer race in timer_shutdown_sync() There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running.
Severity
4.7 (Medium)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: debbcf812d735003c96c5e5968a3cfa4e1fbd1af , < ba43ac025c4318241f8edf94f31d2eebab86991b (git)
Affected: 334c33aa487be406a149c8b87c38c8399d2dba8d , < 1a975716cc8977f461e45e28e3e5977d46ad7a6a (git)
Affected: 0cc04e80458a822300b93f82ed861a513edde194 , < 6665fbd7730b26d770c232b20d1b907e6a67a914 (git)
Affected: 0cc04e80458a822300b93f82ed861a513edde194 , < 176725f4848376530a0f0da9023f956afcc33585 (git)
Affected: 0cc04e80458a822300b93f82ed861a513edde194 , < a01efa7a780c42ac5170a949bd95c9786ffcc60a (git)
Affected: 0cc04e80458a822300b93f82ed861a513edde194 , < 20739af07383e6eb1ec59dcd70b72ebfa9ac362c (git)
Affected: 6.1.158 , < 6.1.159 (semver)
Create a notification for this product.
Linux Linux Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba43ac025c4318241f8edf94f31d2eebab86991b",
              "status": "affected",
              "version": "debbcf812d735003c96c5e5968a3cfa4e1fbd1af",
              "versionType": "git"
            },
            {
              "lessThan": "1a975716cc8977f461e45e28e3e5977d46ad7a6a",
              "status": "affected",
              "version": "334c33aa487be406a149c8b87c38c8399d2dba8d",
              "versionType": "git"
            },
            {
              "lessThan": "6665fbd7730b26d770c232b20d1b907e6a67a914",
              "status": "affected",
              "version": "0cc04e80458a822300b93f82ed861a513edde194",
              "versionType": "git"
            },
            {
              "lessThan": "176725f4848376530a0f0da9023f956afcc33585",
              "status": "affected",
              "version": "0cc04e80458a822300b93f82ed861a513edde194",
              "versionType": "git"
            },
            {
              "lessThan": "a01efa7a780c42ac5170a949bd95c9786ffcc60a",
              "status": "affected",
              "version": "0cc04e80458a822300b93f82ed861a513edde194",
              "versionType": "git"
            },
            {
              "lessThan": "20739af07383e6eb1ec59dcd70b72ebfa9ac362c",
              "status": "affected",
              "version": "0cc04e80458a822300b93f82ed861a513edde194",
              "versionType": "git"
            },
            {
              "lessThan": "6.1.159",
              "status": "affected",
              "version": "6.1.158",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1.158",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers: Fix NULL function pointer race in timer_shutdown_sync()\n\nThere is a race condition between timer_shutdown_sync() and timer\nexpiration that can lead to hitting a WARN_ON in expire_timers().\n\nThe issue occurs when timer_shutdown_sync() clears the timer function\nto NULL while the timer is still running on another CPU. The race\nscenario looks like this:\n\nCPU0\t\t\t\t\tCPU1\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tbase-\u003erunning_timer = timer;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t[call_timer_fn enter]\n\t\t\t\t\tmod_timer()\n\t\t\t\t\t...\ntimer_shutdown_sync()\nlock_timer_base()\n// For now, will not detach the timer but only clear its function to NULL\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\t\t\t\t\t[call_timer_fn exit]\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\tbase-\u003erunning_timer = NULL;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t...\n\t\t\t\t\t// Now timer is pending while its function set to NULL.\n\t\t\t\t\t// next timer trigger\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tWARN_ON_ONCE(!fn) // hit\n\t\t\t\t\t...\nlock_timer_base()\n// Now timer will detach\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\nThe problem is that timer_shutdown_sync() clears the timer function\nregardless of whether the timer is currently running. This can leave a\npending timer with a NULL function pointer, which triggers the\nWARN_ON_ONCE(!fn) check in expire_timers().\n\nFix this by only clearing the timer function when actually detaching the\ntimer. If the timer is running, leave the function pointer intact, which is\nsafe because the timer will be properly detached when it finishes running."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:02:22.475Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba43ac025c4318241f8edf94f31d2eebab86991b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914"
        },
        {
          "url": "https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585"
        },
        {
          "url": "https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a"
        },
        {
          "url": "https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c"
        }
      ],
      "title": "timers: Fix NULL function pointer race in timer_shutdown_sync()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68214",
    "datePublished": "2025-12-16T13:57:09.728Z",
    "dateReserved": "2025-12-16T13:41:40.256Z",
    "dateUpdated": "2026-05-23T16:02:22.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-68214",
      "date": "2026-06-08",
      "epss": "7e-05",
      "percentile": "0.00498"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68214\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-16T14:15:54.363\",\"lastModified\":\"2026-02-26T15:52:56.020\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntimers: Fix NULL function pointer race in timer_shutdown_sync()\\n\\nThere is a race condition between timer_shutdown_sync() and timer\\nexpiration that can lead to hitting a WARN_ON in expire_timers().\\n\\nThe issue occurs when timer_shutdown_sync() clears the timer function\\nto NULL while the timer is still running on another CPU. The race\\nscenario looks like this:\\n\\nCPU0\\t\\t\\t\\t\\tCPU1\\n\\t\\t\\t\\t\\t\u003cSOFTIRQ\u003e\\n\\t\\t\\t\\t\\tlock_timer_base()\\n\\t\\t\\t\\t\\texpire_timers()\\n\\t\\t\\t\\t\\tbase-\u003erunning_timer = timer;\\n\\t\\t\\t\\t\\tunlock_timer_base()\\n\\t\\t\\t\\t\\t[call_timer_fn enter]\\n\\t\\t\\t\\t\\tmod_timer()\\n\\t\\t\\t\\t\\t...\\ntimer_shutdown_sync()\\nlock_timer_base()\\n// For now, will not detach the timer but only clear its function to NULL\\nif (base-\u003erunning_timer != timer)\\n\\tret = detach_if_pending(timer, base, true);\\nif (shutdown)\\n\\ttimer-\u003efunction = NULL;\\nunlock_timer_base()\\n\\t\\t\\t\\t\\t[call_timer_fn exit]\\n\\t\\t\\t\\t\\tlock_timer_base()\\n\\t\\t\\t\\t\\tbase-\u003erunning_timer = NULL;\\n\\t\\t\\t\\t\\tunlock_timer_base()\\n\\t\\t\\t\\t\\t...\\n\\t\\t\\t\\t\\t// Now timer is pending while its function set to NULL.\\n\\t\\t\\t\\t\\t// next timer trigger\\n\\t\\t\\t\\t\\t\u003cSOFTIRQ\u003e\\n\\t\\t\\t\\t\\texpire_timers()\\n\\t\\t\\t\\t\\tWARN_ON_ONCE(!fn) // hit\\n\\t\\t\\t\\t\\t...\\nlock_timer_base()\\n// Now timer will detach\\nif (base-\u003erunning_timer != timer)\\n\\tret = detach_if_pending(timer, base, true);\\nif (shutdown)\\n\\ttimer-\u003efunction = NULL;\\nunlock_timer_base()\\n\\nThe problem is that timer_shutdown_sync() clears the timer function\\nregardless of whether the timer is currently running. This can leave a\\npending timer with a NULL function pointer, which triggers the\\nWARN_ON_ONCE(!fn) check in expire_timers().\\n\\nFix this by only clearing the timer function when actually detaching the\\ntimer. If the timer is running, leave the function pointer intact, which is\\nsafe because the timer will be properly detached when it finishes running.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.118\",\"matchCriteriaId\":\"4391A667-3800-46E2-85F1-05D3343C6133\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.60\",\"matchCriteriaId\":\"959A7F68-3804-4797-BE3E-A69E525AD284\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.17.10\",\"matchCriteriaId\":\"51C8475C-4E3F-464D-AE0C-4D52A8C3240E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1.158:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"25E9EB3F-E8EC-414C-81DF-651BF201C40C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.18:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"DD01661D-DFC8-4B6D-80E7-46D203CC4565\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.18:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8A65C5A-918F-4E0B-8E98-08A29FFBA58A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.18:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"26CA425A-E44F-49D2-92D9-1DDD56398440\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.18:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"BEEBB43A-4C9F-46BE-AA6D-9DBFD2244E55\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.18:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"2545FB83-C4A6-4F62-9ED1-09F75D2E3C78\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.18:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"E955EC5D-4684-4B5D-AE4D-F2BF9ADDBA1D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ba43ac025c4318241f8edf94f31d2eebab86991b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.