Description
In the Linux kernel, the following vulnerability has been resolved:

rust_binder: avoid reading the written value in offsets array

When sending a transaction, its offsets array is first copied into the
target proc's vma, and then the values are read back from there. This is
normally fine because the vma is a read-only mapping, so the target
process cannot change the value under us.

However, if the target process somehow gains the ability to write to its
own vma, it could change the offset before it's read back, causing the
kernel to misinterpret what the sender meant. If the sender happens to
send a payload with a specific shape, this could in the worst case lead
to the receiver being able to privilege escalate into the sender.

The intent is that gaining the ability to change the read-only vma of
your own process should not be exploitable, so remove this TOCTOU read
even though it's unexploitable without another Binder bug.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel binder subsystem. When a binder transaction is sent, the offsets array is copied into the target process’s virtual memory area (VMA) and then read back for interpretation. Normally the VMA is read‑only, preventing tampering, but if an attacker can grant write access to its own VMA, it can alter the offsets before the kernel re‑reads them. This race condition, a classic Time‑of‑Check to Time‑of‑Use flaw, can cause the kernel to misinterpret the intended transaction and, under certain payload shapes, allow the receiving process to gain privileges over the sender. The weakness matches CWE‑824 (Improper Synchronization) and CWE‑362 (Atomicity Violation).

Affected Systems

Affectation is limited to Linux kernel implementations; no specific version ranges were supplied in the official disclosure. The patch that removes the unsafe read was integrated into the kernel via commit 3672141c93b7a0c0132bf5d5021a4b7f1d663aaa and subsequent related commits. Administrators should verify that their kernel contains these commits or is at a later release that includes the fix.

Risk and Exploitability

The CVSS score is not listed, and the EPSS rating is unavailable. The vulnerability is not recorded in the CISA KEV catalog, indicating no known recent exploitation. Exploitation requires an attacker to first obtain the ability to write to a read‑only VMA, which normally needs another binder or kernel flaw to be combined. Because of these prerequisites, the likelihood of successful exploitation is moderate to low, but the impact is high if an attacker can chain this flaw with a second vulnerability to achieve privilege escalation.

Generated by OpenCVE AI on May 9, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that contains commit 3672141c93b7a0c0132bf5d5021a4b7f1d663aaa, which removes the TOCTOU read from the binder offsets array.
  • Verify that no remaining binder‑related permission or access control bugs exist that could allow a process to gain write access to its own VMA; apply any related security patches promptly.
  • Enable kernel hardening features such as SELinux or AppArmor profiles, enforce kernel lockdown mode, and restrict VMA write privileges to mitigate the underlying race condition.

Generated by OpenCVE AI on May 9, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-824

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are read back from there. This is normally fine because the vma is a read-only mapping, so the target process cannot change the value under us. However, if the target process somehow gains the ability to write to its own vma, it could change the offset before it's read back, causing the kernel to misinterpret what the sender meant. If the sender happens to send a payload with a specific shape, this could in the worst case lead to the receiver being able to privilege escalate into the sender. The intent is that gaining the ability to change the read-only vma of your own process should not be exploitable, so remove this TOCTOU read even though it's unexploitable without another Binder bug.
Title rust_binder: avoid reading the written value in offsets array
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:04.632Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43433

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:55.607

Modified: 2026-05-08T15:16:55.607

Link: CVE-2026-43433

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43433 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T13:30:34Z

Weaknesses