Description
In the Linux kernel, the following vulnerability has been resolved:

rust_binder: correctly handle FDA objects of length zero

Fix a bug where an empty FDA (fd array) object with 0 fds would cause an
out-of-bounds error. The previous implementation used `skip == 0` to
mean "this is a pointer fixup", but 0 is also the correct skip length
for an empty FDA. If the FDA is at the end of the buffer, then this
results in an attempt to write 8-bytes out of bounds. This is caught and
results in an EINVAL error being returned to userspace.

The pattern of using `skip == 0` as a special value originates from the
C-implementation of Binder. As part of fixing this bug, this pattern is
replaced with a Rust enum.

I considered the alternate option of not pushing a fixup when the length
is zero, but I think it's cleaner to just get rid of the zero-is-special
stuff.

The root cause of this bug was diagnosed by Gemini CLI on first try. I
used the following prompt:

> There appears to be a bug in @drivers/android/binder/thread.rs where
> the Fixups oob bug is triggered with 316 304 316 324. This implies
> that we somehow ended up with a fixup where buffer A has a pointer to
> buffer B, but the pointer is located at an index in buffer A that is
> out of bounds. Please investigate the code to find the bug. You may
> compare with @drivers/android/binder.c that implements this correctly.
Published: 2026-02-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Bounds Write
Action: Apply Patch
AI Analysis

Impact

A bug in the Linux kernel’s Binder module caused the Rust implementation to misinterpret an empty FDA (file descriptor array) object as a pointer fix‑up when the skip value was zero. The code then attempted to write eight bytes beyond the end of the buffer, triggering an out‑of‑bounds write. The kernel’s bounds check prevented a crash, resulting instead in an EINVAL error returned to userspace. The flaw does not provide a direct path to code execution but could allow an attacker to cause kernel memory corruption or a denial‑of‑service.

Affected Systems

All Linux kernel 6.19 release candidates from rc1 through rc8, as listed by the supplied CPE entries. Any derivative of the kernel that incorporates the same binder source before the patch is also affected.

Risk and Exploitability

With a CVSS score of 7.8 the issue is high severity, but the EPSS score is below 1 % and the vulnerability is not in the CISA KEV catalog, indicating a low likelihood of exploitation in the wild. The most likely attack vector is local: an attacker who can invoke a Binder transaction that includes an empty FDA object, such as malicious applications on the same device, may trigger the out‑of‑bounds write. Because the kernel detects the overflow, only a denial‑of‑service or potential unstable state is expected, and no remote code execution is documented.

Generated by OpenCVE AI on April 18, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the binder patch (e.g., 6.19 stable or later).
  • If possible, modify applications to avoid sending empty FDA objects via Binder, or ensure that Binders are updated before use.
  • After updating, restart services that depend on Binder IPC and monitor for EINVAL errors in system logs.

Generated by OpenCVE AI on April 18, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used `skip == 0` to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty FDA. If the FDA is at the end of the buffer, then this results in an attempt to write 8-bytes out of bounds. This is caught and results in an EINVAL error being returned to userspace. The pattern of using `skip == 0` as a special value originates from the C-implementation of Binder. As part of fixing this bug, this pattern is replaced with a Rust enum. I considered the alternate option of not pushing a fixup when the length is zero, but I think it's cleaner to just get rid of the zero-is-special stuff. The root cause of this bug was diagnosed by Gemini CLI on first try. I used the following prompt: > There appears to be a bug in @drivers/android/binder/thread.rs where > the Fixups oob bug is triggered with 316 304 316 324. This implies > that we somehow ended up with a fixup where buffer A has a pointer to > buffer B, but the pointer is located at an index in buffer A that is > out of bounds. Please investigate the code to find the bug. You may > compare with @drivers/android/binder.c that implements this correctly.
Title rust_binder: correctly handle FDA objects of length zero
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:27:20.944Z

Reserved: 2026-01-13T15:37:45.985Z

Link: CVE-2026-23194

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T17:15:57.233

Modified: 2026-03-19T17:47:30.513

Link: CVE-2026-23194

cve-icon Redhat

Severity :

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23194 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:15:15Z

Weaknesses