CVE-2026-23400 (GCVE-0-2026-23400)
Vulnerability from cvelistv5 – Published: 2026-03-29 12:55 – Updated: 2026-05-11 22:06
VLAI
Title
rust_binder: call set_notification_done() without proc lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
rust_binder: call set_notification_done() without proc lock
Consider the following sequence of events on a death listener:
1. The remote process dies and sends a BR_DEAD_BINDER message.
2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.
3. The local process then invokes the BC_DEAD_BINDER_DONE.
Then, the kernel will reply to the BC_DEAD_BINDER_DONE command with a
BR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().
However, this can result in a deadlock if the current thread is not a
looper. This is because dead_binder_done() still holds the proc lock
during set_notification_done(), which called push_work_if_looper().
Normally, push_work_if_looper() takes the thread lock, which is fine to
take under the proc lock. But if the current thread is not a looper,
then it falls back to delivering the reply to the process work queue,
which involves taking the proc lock. Since the proc lock is already
held, this is a deadlock.
Fix this by releasing the proc lock during set_notification_done(). It
was not intentional that it was held during that function to begin with.
I don't think this ever happens in Android because BC_DEAD_BINDER_DONE
is only invoked in response to BR_DEAD_BINDER messages, and the kernel
always delivers BR_DEAD_BINDER to a looper. So there's no scenario where
Android userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
eafedbc7c050c44744fbdf80bdf3315e860b7513 , < dd109e3442817bc03ad1f3ffd541092f8c428141
(git)
Affected: eafedbc7c050c44744fbdf80bdf3315e860b7513 , < 3be72099067d2cd4a0e089696f19780f75b2b88a (git) Affected: eafedbc7c050c44744fbdf80bdf3315e860b7513 , < 2e303f0febb65a434040774b793ba8356698802b (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/android/binder/process.rs"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd109e3442817bc03ad1f3ffd541092f8c428141",
"status": "affected",
"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
"versionType": "git"
},
{
"lessThan": "3be72099067d2cd4a0e089696f19780f75b2b88a",
"status": "affected",
"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
"versionType": "git"
},
{
"lessThan": "2e303f0febb65a434040774b793ba8356698802b",
"status": "affected",
"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/android/binder/process.rs"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: call set_notification_done() without proc lock\n\nConsider the following sequence of events on a death listener:\n1. The remote process dies and sends a BR_DEAD_BINDER message.\n2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.\n3. The local process then invokes the BC_DEAD_BINDER_DONE.\nThen, the kernel will reply to the BC_DEAD_BINDER_DONE command with a\nBR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().\n\nHowever, this can result in a deadlock if the current thread is not a\nlooper. This is because dead_binder_done() still holds the proc lock\nduring set_notification_done(), which called push_work_if_looper().\nNormally, push_work_if_looper() takes the thread lock, which is fine to\ntake under the proc lock. But if the current thread is not a looper,\nthen it falls back to delivering the reply to the process work queue,\nwhich involves taking the proc lock. Since the proc lock is already\nheld, this is a deadlock.\n\nFix this by releasing the proc lock during set_notification_done(). It\nwas not intentional that it was held during that function to begin with.\n\nI don\u0027t think this ever happens in Android because BC_DEAD_BINDER_DONE\nis only invoked in response to BR_DEAD_BINDER messages, and the kernel\nalways delivers BR_DEAD_BINDER to a looper. So there\u0027s no scenario where\nAndroid userspace will call BC_DEAD_BINDER_DONE on a non-looper thread."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:10.668Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd109e3442817bc03ad1f3ffd541092f8c428141"
},
{
"url": "https://git.kernel.org/stable/c/3be72099067d2cd4a0e089696f19780f75b2b88a"
},
{
"url": "https://git.kernel.org/stable/c/2e303f0febb65a434040774b793ba8356698802b"
}
],
"title": "rust_binder: call set_notification_done() without proc lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23400",
"datePublished": "2026-03-29T12:55:50.660Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-05-11T22:06:10.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-23400",
"date": "2026-06-01",
"epss": "0.00014",
"percentile": "0.02597"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23400\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-29T13:16:58.920\",\"lastModified\":\"2026-04-24T15:17:32.797\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrust_binder: call set_notification_done() without proc lock\\n\\nConsider the following sequence of events on a death listener:\\n1. The remote process dies and sends a BR_DEAD_BINDER message.\\n2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.\\n3. The local process then invokes the BC_DEAD_BINDER_DONE.\\nThen, the kernel will reply to the BC_DEAD_BINDER_DONE command with a\\nBR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().\\n\\nHowever, this can result in a deadlock if the current thread is not a\\nlooper. This is because dead_binder_done() still holds the proc lock\\nduring set_notification_done(), which called push_work_if_looper().\\nNormally, push_work_if_looper() takes the thread lock, which is fine to\\ntake under the proc lock. But if the current thread is not a looper,\\nthen it falls back to delivering the reply to the process work queue,\\nwhich involves taking the proc lock. Since the proc lock is already\\nheld, this is a deadlock.\\n\\nFix this by releasing the proc lock during set_notification_done(). It\\nwas not intentional that it was held during that function to begin with.\\n\\nI don\u0027t think this ever happens in Android because BC_DEAD_BINDER_DONE\\nis only invoked in response to BR_DEAD_BINDER messages, and the kernel\\nalways delivers BR_DEAD_BINDER to a looper. So there\u0027s no scenario where\\nAndroid userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nrust_binder: llamar a set_notification_done() sin el bloqueo de proc\\n\\nConsidere la siguiente secuencia de eventos en un oyente de muerte:\\n1. El proceso remoto muere y env\u00eda un mensaje BR_DEAD_BINDER.\\n2. El proceso local invoca el comando BC_CLEAR_DEATH_NOTIFICATION.\\n3. El proceso local luego invoca el BC_DEAD_BINDER_DONE.\\nEntonces, el kernel responder\u00e1 al comando BC_DEAD_BINDER_DONE con una\\nrespuesta BR_CLEAR_DEATH_NOTIFICATION_DONE usando push_work_if_looper().\\n\\nSin embargo, esto puede resultar en un interbloqueo si el hilo actual no es un\\nlooper. Esto se debe a que dead_binder_done() a\u00fan mantiene el bloqueo de proc\\ndurante set_notification_done(), que llam\u00f3 a push_work_if_looper().\\nNormalmente, push_work_if_looper() toma el bloqueo de hilo, lo cual est\u00e1 bien tomar\\nbajo el bloqueo de proc. Pero si el hilo actual no es un looper,\\nentonces recurre a entregar la respuesta a la cola de trabajo del proceso,\\nlo que implica tomar el bloqueo de proc. Dado que el bloqueo de proc ya est\u00e1\\nretenido, esto es un interbloqueo.\\n\\nSolucione esto liberando el bloqueo de proc durante set_notification_done(). No\\nfue intencional que se mantuviera durante esa funci\u00f3n para empezar.\\n\\nNo creo que esto ocurra nunca en Android porque BC_DEAD_BINDER_DONE\\nsolo se invoca en respuesta a mensajes BR_DEAD_BINDER, y el kernel\\nsiempre entrega BR_DEAD_BINDER a un looper. As\u00ed que no hay ning\u00fan escenario donde\\nel espacio de usuario de Android llame a BC_DEAD_BINDER_DONE en un hilo que no sea un looper.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-667\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.18.1\",\"versionEndExcluding\":\"6.18.19\",\"matchCriteriaId\":\"6F718F75-20D5-4D17-B698-1D1BD5FDE294\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.9\",\"matchCriteriaId\":\"E825E7C3-FEAC-4FD3-8A81-78D7387948C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"DCE57113-2223-4308-A0F2-5E6ECFBB3C23\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D2315C0-D46F-4F85-9754-F9E5E11374A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"512EE3A8-A590-4501-9A94-5D4B268D6138\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2e303f0febb65a434040774b793ba8356698802b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3be72099067d2cd4a0e089696f19780f75b2b88a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dd109e3442817bc03ad1f3ffd541092f8c428141\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…