Description
In the Linux kernel, the following vulnerability has been resolved:

rust_binder: call set_notification_done() without proc lock

Consider the following sequence of events on a death listener:
1. The remote process dies and sends a BR_DEAD_BINDER message.
2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.
3. The local process then invokes the BC_DEAD_BINDER_DONE.
Then, the kernel will reply to the BC_DEAD_BINDER_DONE command with a
BR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().

However, this can result in a deadlock if the current thread is not a
looper. This is because dead_binder_done() still holds the proc lock
during set_notification_done(), which called push_work_if_looper().
Normally, push_work_if_looper() takes the thread lock, which is fine to
take under the proc lock. But if the current thread is not a looper,
then it falls back to delivering the reply to the process work queue,
which involves taking the proc lock. Since the proc lock is already
held, this is a deadlock.

Fix this by releasing the proc lock during set_notification_done(). It
was not intentional that it was held during that function to begin with.

I don't think this ever happens in Android because BC_DEAD_BINDER_DONE
is only invoked in response to BR_DEAD_BINDER messages, and the kernel
always delivers BR_DEAD_BINDER to a looper. So there's no scenario where
Android userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.
Published: 2026-03-29
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via deadlock
Action: Patch Now
AI Analysis

Impact

A concurrency flaw in the Linux kernel’s binder subsystem triggers a deadlock when the set_notification_done() function is called while the proc lock is still held. If the current thread is not a looper, this causes the thread to attempt to acquire the already‑held proc lock, resulting in an indefinite block that can halt binder‑based communication.

Affected Systems

The vulnerability affects the Linux kernel. No specific version restrictions are listed, so any kernel release that includes the rust_binder code guarded by this bug is potentially impacted. Users running contemporary Linux distributions that embed this kernel code should verify whether it has been patched.

Risk and Exploitability

The CVE record lists a CVSS base score of 5.5, indicating a medium‑severity local denial of service. The EPSS score is below 1 %, suggesting low probability of exploitation at the present time. The vulnerability is not in the CISA KEV catalog. Attackers would need local kernel access to trigger the deadlock, such as by initiating or responding to binder death notifications. Exploitation would lead to a lock of the binder subsystem, potentially disrupting inter‑process communication.

Generated by OpenCVE AI on April 28, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that contains the binder deadlock fix.
  • Enable binder subsystem debug logging to capture potential deadlock events.
  • Monitor binder logs for deadlock indications and restart affected services if necessary.

Generated by OpenCVE AI on April 28, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667

Mon, 30 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667

Sun, 29 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rust_binder: call set_notification_done() without proc lock Consider the following sequence of events on a death listener: 1. The remote process dies and sends a BR_DEAD_BINDER message. 2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command. 3. The local process then invokes the BC_DEAD_BINDER_DONE. Then, the kernel will reply to the BC_DEAD_BINDER_DONE command with a BR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper(). However, this can result in a deadlock if the current thread is not a looper. This is because dead_binder_done() still holds the proc lock during set_notification_done(), which called push_work_if_looper(). Normally, push_work_if_looper() takes the thread lock, which is fine to take under the proc lock. But if the current thread is not a looper, then it falls back to delivering the reply to the process work queue, which involves taking the proc lock. Since the proc lock is already held, this is a deadlock. Fix this by releasing the proc lock during set_notification_done(). It was not intentional that it was held during that function to begin with. I don't think this ever happens in Android because BC_DEAD_BINDER_DONE is only invoked in response to BR_DEAD_BINDER messages, and the kernel always delivers BR_DEAD_BINDER to a looper. So there's no scenario where Android userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.
Title rust_binder: call set_notification_done() without proc lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:06:10.668Z

Reserved: 2026-01-13T15:37:46.012Z

Link: CVE-2026-23400

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T13:16:58.920

Modified: 2026-04-24T15:17:32.797

Link: CVE-2026-23400

cve-icon Redhat

Severity :

Publid Date: 2026-03-29T00:00:00Z

Links: CVE-2026-23400 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T17:00:13Z

Weaknesses