From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D3EE13EF0A5 for ; Fri, 8 May 2026 14:25:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250325; cv=none; b=W9cz/vnWBeB8iAszUeJ6TE3hvUqvXRNP5PP/E5PMWoVDEIOVlyGReY80WuebtNFcAcinjWjqwcvVM6vLDti9H84NInVj9nzMEC/yCrbGX4RoKu4wWNKVjJXCUTugGK3t4NWYzsRA0VNHNDrO3YsNYNmXLX2Gtxm1cJErzBwXzy0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250325; c=relaxed/simple; bh=2YvUUcyFGOacnDi8X/XfhmxRyHiiPTHFJT9MifeSa5A=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=c3c4pVlj9UrpRAP6mRF/EmE05fLq580qYLEqnnwSwUFFXyfZUFLRqwvxAJt4YOJ9oc1xqMhDVJ76uxNtoP7JNQxyfE7Rwt5kIgT64p6ITJP7R0pW/4IiLedtxGzHmVuoqmKV54DAQqJthQBGMvTK43PQUkS0gTMEYQ2eYYNSjjU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=iMl4VdWz; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="iMl4VdWz" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6D27EC2BCB0; Fri, 8 May 2026 14:25:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250325; bh=2YvUUcyFGOacnDi8X/XfhmxRyHiiPTHFJT9MifeSa5A=; h=From:To:Cc:Subject:Date:Reply-To:From; b=iMl4VdWzH487xwi0KG5/AHSo2PQz5Sku9njRkzeSnjqNls3l5Gutb+x4ezbMsNo5v PaxYYnEoZuPK0CTx4VnktXcWBpePJJV+00VONwvrut9LLrS+Mb+4ysE8Doe8xoVO6x 8xZ19GPfTAb0SuuZuZKfk0aP1t9vu/BjSC5gvr8o= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43433: rust_binder: avoid reading the written value in offsets array Date: Fri, 8 May 2026 16:22:42 +0200 Message-ID: <2026050851-CVE-2026-43433-69b7@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2826; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=yCWk7XiQ7Ix1Kwmj8fLFbwlo1fJaRuO/6e0M2dppQa8=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P9a3aVhsmHUiyvbB8zzW6unR9ouF26sy8pvv8nJ8r E6YfXRjRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzk5HOGBTsfHjvT3MDRpGHS 0Vv3xIUz5KjGL4b5PgcVW8of+FfcY7xQ+MSE1U1YkfUiAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are read back from there. This is normally fine because the vma is a read-only mapping, so the target process cannot change the value under us. However, if the target process somehow gains the ability to write to its own vma, it could change the offset before it's read back, causing the kernel to misinterpret what the sender meant. If the sender happens to send a payload with a specific shape, this could in the worst case lead to the receiver being able to privilege escalate into the sender. The intent is that gaining the ability to change the read-only vma of your own process should not be exploitable, so remove this TOCTOU read even though it's unexploitable without another Binder bug. The Linux kernel CVE team has assigned CVE-2026-43433 to this issue. Affected and fixed versions =========================== Issue introduced in 6.18 with commit eafedbc7c050c44744fbdf80bdf3315e860b7513 and fixed in 6.18.19 with commit e19afb53f7723b3bd22224f2b0c7dcfa70bb973f Issue introduced in 6.18 with commit eafedbc7c050c44744fbdf80bdf3315e860b7513 and fixed in 6.19.9 with commit 3672141c93b7a0c0132bf5d5021a4b7f1d663aaa Issue introduced in 6.18 with commit eafedbc7c050c44744fbdf80bdf3315e860b7513 and fixed in 7.0 with commit 4cb9e13fec0de7c942f5f927469beb8e48ddd20f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43433 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/android/binder/thread.rs Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e19afb53f7723b3bd22224f2b0c7dcfa70bb973f https://git.kernel.org/stable/c/3672141c93b7a0c0132bf5d5021a4b7f1d663aaa https://git.kernel.org/stable/c/4cb9e13fec0de7c942f5f927469beb8e48ddd20f