Skip to main content

Android CVE-2026-23194

2026-02-14 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:03 vuln.today
CVE Published
Feb 14, 2026 - 17:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: correctly handle FDA objects of length zero

Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used skip == 0 to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty FDA. If the FDA is at the end of the buffer, then this results in an attempt to write 8-bytes out of bounds. This is caught and results in an EINVAL error being returned to userspace.

The pattern of using skip == 0 as a special value originates from the C-implementation of Binder. As part of fixing this bug, this pattern is replaced with a Rust enum.

I considered the alternate option of not pushing a fixup when the length is zero, but I think it's cleaner to just get rid of the zero-is-special stuff.

The root cause of this bug was diagnosed by Gemini CLI on first try. I used the following prompt:

> There appears to be a bug in @drivers/android/binder/thread.rs where > the Fixups oob bug is triggered with 316 304 316 324. This implies > that we somehow ended up with a fixup where buffer A has a pointer to > buffer B, but the pointer is located at an index in buffer A that is > out of bounds. Please investigate the code to find the bug. You may > compare with @drivers/android/binder.c that implements this correctly.

AnalysisAI

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: correctly handle FDA objects of length zero

Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error.

Technical ContextAI

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: correctly handle FDA objects of length zero

Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used skip == 0 to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty FDA. If the FDA is at the end of the buffer, then this results in an attempt to write 8-bytes out of bounds. This is caught and results in an EINVAL

Affected ProductsAI

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: correctly handle FDA objects of length zero

Fix a bug where an empt

RemediationAI

Monitor vendor advisories for a patch.

CVE-2015-3105 CRITICAL POC
10.0 Jun 10

Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X and before 11.2.202.466

CVE-2015-3864 CRITICAL POC
10.0 Oct 01

Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in A

CVE-2013-4710 CRITICAL POC
9.3 Mar 03

Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly imp

CVE-2015-1538 CRITICAL POC
10.0 Oct 01

Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android bef

CVE-2024-21633 HIGH POC
7.8 Jan 03

Apktool versions 2.9.1 and prior contain a path traversal vulnerability when processing Android APK files. Malicious APK

CVE-2017-13156 HIGH POC
7.8 Dec 06

An elevation of privilege vulnerability in the Android system (art). Rated high severity (CVSS 7.8), this vulnerability

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-3106 CRITICAL POC
10.0 Jun 10

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows

CVE-2015-3107 CRITICAL POC
10.0 Jun 10

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows

CVE-2013-4787 CRITICAL POC
9.3 Jul 09

Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications, which allows

CVE-2014-7911 HIGH
7.2 Dec 15

luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.

CVE-2016-0801 CRITICAL POC
9.8 Feb 07

The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01

Share

CVE-2026-23194 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy