CVE-2026-43435 - Vulnerability Details

- rust_binder: fix oneway spam detection

Description

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: fix oneway spam detection

The spam detection logic in TreeRange was executed before the current
request was inserted into the tree. So the new request was not being
factored in the spam calculation. Fix this by moving the logic after
the new range has been inserted.

Also, the detection logic for ArrayRange was missing altogether which
meant large spamming transactions could get away without being detected.
Fix this by implementing an equivalent low_oneway_space() in ArrayRange.

Note that I looked into centralizing this logic in RangeAllocator but
iterating through 'state' and 'size' got a bit too complicated (for me)
and I abandoned this effort.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The bug in the Linux kernel’s binder module caused the spam‑detection logic for TreeRange to run before a new request was inserted into the tracking tree, so the new request was omitted from the spam calculation. In addition, ArrayRange lacked spam detection entirely, allowing high‑volume “spamming” transactions to bypass safeguards and potentially exhaust kernel resources, thereby degrading system performance. This flaw is a resource‑consumption issue, indexed as CWE-770, and can lead to a denial‑of‑service condition. The likely attack vector is local processes generating large numbers of binder requests, as the problem depends on traffic from binder clients rather than external network input, a conclusion inferred from the description.

Affected Systems

All Linux kernel releases that contain the binder module and have not yet applied the referenced commits (4fc87c240b8f30e22b7ebaae29d57105589e1c0b, 8d34c993a9a156e657e43cb95186980745cc3597, or edf685946c4acbe57cb96f8d5f3c07e9a2e973c8) are vulnerable. Kernels newer than these commits are considered safe.

Risk and Exploitability

Exploitation requires the ability to generate binder requests, normally through processes that interact with the binder service. The vulnerability has no documented remote vector; it is likely that unprivileged local processes could generate high‑volume traffic to trigger a denial‑of‑service by exhausting CPU or memory. The EPSS score (<1%) indicates a very low probability of exploitation, and the issue is not listed in the CISA KEV catalog. The likely attack vector is local binder traffic, as the flaw depends on the volume of requests sent by binder clients, a conclusion inferred from the described bug. Because the attack surface is limited to binder range handling, the potential for service degradation remains significant, warranting prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`eafedbc7c050c44744fbdf80bdf3315e860b7513`	affected	< edf685946c4acbe57cb96f8d5f3c07e9a2e973c8
`eafedbc7c050c44744fbdf80bdf3315e860b7513`	affected	< 8d34c993a9a156e657e43cb95186980745cc3597
`eafedbc7c050c44744fbdf80bdf3315e860b7513`	affected	< 4fc87c240b8f30e22b7ebaae29d57105589e1c0b

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[eafedbc7c050c44744fbdf80bdf3315e860b7513,edf685946c4acbe57cb96f8d5f3c07e9a2e973c8)`	affected	code_commit	—
`[eafedbc7c050c44744fbdf80bdf3315e860b7513,8d34c993a9a156e657e43cb95186980745cc3597)`	affected	code_commit	—
`[eafedbc7c050c44744fbdf80bdf3315e860b7513,4fc87c240b8f30e22b7ebaae29d57105589e1c0b)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Linux kernel patch that incorporates the commits identified in the referenced commit series to fix the spam‑detection logic for TreeRange and ArrayRange.
Configure cgroup or system resource limits to constrain binder traffic from untrusted users, mitigating the CWE-770 Uncontrolled Resource Consumption.
If a kernel upgrade or patch cannot be applied immediately, temporarily disable binder services for untrusted processes or restrict the number of binder requests to reduce the risk of resource exhaustion.

Generated by OpenCVE AI on May 9, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4fc87c240b8f30e22b7ebaae29d57105589e1c0b
https://git.kernel.org/stable/c/8d34c993a9a156e657e43cb95186980745cc3597
https://git.kernel.org/stable/c/edf685946c4acbe57cb96f8d5f3c07e9a2e973c8
https://lore.kernel.org/linux-cve-announce/2026050852-CVE-2026-43435-9f8d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43435
https://www.cve.org/CVERecord?id=CVE-2026-43435

History

Sat, 09 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://lore.kernel.org/linux-cve-announce/2026050852-CVE-2026-43435-9f8d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43435 https://www.cve.org/CVERecord?id=CVE-2026-43435

Fri, 08 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix oneway spam detection The spam detection logic in TreeRange was executed before the current request was inserted into the tree. So the new request was not being factored in the spam calculation. Fix this by moving the logic after the new range has been inserted. Also, the detection logic for ArrayRange was missing altogether which meant large spamming transactions could get away without being detected. Fix this by implementing an equivalent low_oneway_space() in ArrayRange. Note that I looked into centralizing this logic in RangeAllocator but iterating through 'state' and 'size' got a bit too complicated (for me) and I abandoned this effort.
Title		rust_binder: fix oneway spam detection
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4fc87c240b8f30e22b7ebaae29d57105589e1c0b https://git.kernel.org/stable/c/8d34c993a9a156e657e43cb95186980745cc3597 https://git.kernel.org/stable/c/edf685946c4acbe57cb96f8d5f3c07e9a2e973c8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:05.921Z

Updated: 2026-05-08T14:22:05.921Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43435

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:55.827

Modified: 2026-05-08T15:16:55.827

Link: CVE-2026-43435

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43435 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T17:30:38Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object