CVE-2026-43433: rust_binder: avoid reading the written value in offsets array

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: avoid reading the written value in offsets array

When sending a transaction, its offsets array is first copied into the
target proc's vma, and then the values are read back from there. This is
normally fine because the vma is a read-only mapping, so the target
process cannot change the value under us.

However, if the target process somehow gains the ability to write to its
own vma, it could change the offset before it's read back, causing the
kernel to misinterpret what the sender meant. If the sender happens to
send a payload with a specific shape, this could in the worst case lead
to the receiver being able to privilege escalate into the sender.

The intent is that gaining the ability to change the read-only vma of
your own process should not be exploitable, so remove this TOCTOU read
even though it's unexploitable without another Binder bug.

The Linux kernel CVE team has assigned CVE-2026-43433 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.18 with commit eafedbc7c050c44744fbdf80bdf3315e860b7513 and fixed in 6.18.19 with commit e19afb53f7723b3bd22224f2b0c7dcfa70bb973f
	Issue introduced in 6.18 with commit eafedbc7c050c44744fbdf80bdf3315e860b7513 and fixed in 6.19.9 with commit 3672141c93b7a0c0132bf5d5021a4b7f1d663aaa
	Issue introduced in 6.18 with commit eafedbc7c050c44744fbdf80bdf3315e860b7513 and fixed in 7.0 with commit 4cb9e13fec0de7c942f5f927469beb8e48ddd20f

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43433
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/android/binder/thread.rs


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/e19afb53f7723b3bd22224f2b0c7dcfa70bb973f
	https://git.kernel.org/stable/c/3672141c93b7a0c0132bf5d5021a4b7f1d663aaa
	https://git.kernel.org/stable/c/4cb9e13fec0de7c942f5f927469beb8e48ddd20f