CVE-2026-43433 (GCVE-0-2026-43433)

Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-08 14:22
VLAI?
Title
rust_binder: avoid reading the written value in offsets array
Summary
In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are read back from there. This is normally fine because the vma is a read-only mapping, so the target process cannot change the value under us. However, if the target process somehow gains the ability to write to its own vma, it could change the offset before it's read back, causing the kernel to misinterpret what the sender meant. If the sender happens to send a payload with a specific shape, this could in the worst case lead to the receiver being able to privilege escalate into the sender. The intent is that gaining the ability to change the read-only vma of your own process should not be exploitable, so remove this TOCTOU read even though it's unexploitable without another Binder bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: eafedbc7c050c44744fbdf80bdf3315e860b7513 , < e19afb53f7723b3bd22224f2b0c7dcfa70bb973f (git)
Affected: eafedbc7c050c44744fbdf80bdf3315e860b7513 , < 3672141c93b7a0c0132bf5d5021a4b7f1d663aaa (git)
Affected: eafedbc7c050c44744fbdf80bdf3315e860b7513 , < 4cb9e13fec0de7c942f5f927469beb8e48ddd20f (git)
Create a notification for this product.
    Linux Linux Affected: 6.18
Unaffected: 0 , < 6.18 (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/android/binder/thread.rs"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e19afb53f7723b3bd22224f2b0c7dcfa70bb973f",
              "status": "affected",
              "version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
              "versionType": "git"
            },
            {
              "lessThan": "3672141c93b7a0c0132bf5d5021a4b7f1d663aaa",
              "status": "affected",
              "version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
              "versionType": "git"
            },
            {
              "lessThan": "4cb9e13fec0de7c942f5f927469beb8e48ddd20f",
              "status": "affected",
              "version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/android/binder/thread.rs"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.18"
            },
            {
              "lessThan": "6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: avoid reading the written value in offsets array\n\nWhen sending a transaction, its offsets array is first copied into the\ntarget proc\u0027s vma, and then the values are read back from there. This is\nnormally fine because the vma is a read-only mapping, so the target\nprocess cannot change the value under us.\n\nHowever, if the target process somehow gains the ability to write to its\nown vma, it could change the offset before it\u0027s read back, causing the\nkernel to misinterpret what the sender meant. If the sender happens to\nsend a payload with a specific shape, this could in the worst case lead\nto the receiver being able to privilege escalate into the sender.\n\nThe intent is that gaining the ability to change the read-only vma of\nyour own process should not be exploitable, so remove this TOCTOU read\neven though it\u0027s unexploitable without another Binder bug."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T14:22:04.632Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e19afb53f7723b3bd22224f2b0c7dcfa70bb973f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3672141c93b7a0c0132bf5d5021a4b7f1d663aaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cb9e13fec0de7c942f5f927469beb8e48ddd20f"
        }
      ],
      "title": "rust_binder: avoid reading the written value in offsets array",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43433",
    "datePublished": "2026-05-08T14:22:04.632Z",
    "dateReserved": "2026-05-01T14:12:56.009Z",
    "dateUpdated": "2026-05-08T14:22:04.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43433",
      "date": "2026-05-10",
      "epss": "0.00017",
      "percentile": "0.04138"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43433\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:16:55.607\",\"lastModified\":\"2026-05-08T15:16:55.607\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrust_binder: avoid reading the written value in offsets array\\n\\nWhen sending a transaction, its offsets array is first copied into the\\ntarget proc\u0027s vma, and then the values are read back from there. This is\\nnormally fine because the vma is a read-only mapping, so the target\\nprocess cannot change the value under us.\\n\\nHowever, if the target process somehow gains the ability to write to its\\nown vma, it could change the offset before it\u0027s read back, causing the\\nkernel to misinterpret what the sender meant. If the sender happens to\\nsend a payload with a specific shape, this could in the worst case lead\\nto the receiver being able to privilege escalate into the sender.\\n\\nThe intent is that gaining the ability to change the read-only vma of\\nyour own process should not be exploitable, so remove this TOCTOU read\\neven though it\u0027s unexploitable without another Binder bug.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3672141c93b7a0c0132bf5d5021a4b7f1d663aaa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4cb9e13fec0de7c942f5f927469beb8e48ddd20f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e19afb53f7723b3bd22224f2b0c7dcfa70bb973f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.