Skip to main content

Linux CVE-2026-23400

| EUVDEUVD-2026-16993 MEDIUM
Improper Locking (CWE-667)
2026-03-29 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 29, 2026 - 13:15 euvd
EUVD-2026-16993
Analysis Generated
Mar 29, 2026 - 13:15 vuln.today
CVE Published
Mar 29, 2026 - 12:55 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: call set_notification_done() without proc lock

Consider the following sequence of events on a death listener:

  1. The remote process dies and sends a BR_DEAD_BINDER message.
  2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.
  3. The local process then invokes the BC_DEAD_BINDER_DONE.

Then, the kernel will reply to the BC_DEAD_BINDER_DONE command with a BR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().

However, this can result in a deadlock if the current thread is not a looper. This is because dead_binder_done() still holds the proc lock during set_notification_done(), which called push_work_if_looper(). Normally, push_work_if_looper() takes the thread lock, which is fine to take under the proc lock. But if the current thread is not a looper, then it falls back to delivering the reply to the process work queue, which involves taking the proc lock. Since the proc lock is already held, this is a deadlock.

Fix this by releasing the proc lock during set_notification_done(). It was not intentional that it was held during that function to begin with.

I don't think this ever happens in Android because BC_DEAD_BINDER_DONE is only invoked in response to BR_DEAD_BINDER messages, and the kernel always delivers BR_DEAD_BINDER to a looper. So there's no scenario where Android userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.

AnalysisAI

Deadlock in Linux kernel rust_binder driver occurs when BC_DEAD_BINDER_DONE is invoked on a non-looper thread while the proc lock is held, preventing push_work_if_looper() from safely acquiring the proc lock for work queue delivery. The vulnerability affects the Rust implementation of Android's Binder IPC mechanism and can cause kernel deadlock, potentially resulting in denial of service to affected processes or the entire system depending on thread scheduling.

Technical ContextAI

The rust_binder subsystem in the Linux kernel implements Android's Binder inter-process communication protocol in Rust. The vulnerability exists in the dead_binder_done() function, which handles BC_DEAD_BINDER_DONE commands received from userspace. The root cause is a lock ordering violation: when set_notification_done() is called while holding the proc (process) lock, and set_notification_done() internally calls push_work_if_looper(), the latter function may attempt to acquire the proc lock again if the current thread is not a looper. This creates a circular lock dependency (CWE-714: Improper Control of Dynamically-Managed Code Resources, more specifically a lock-ordering deadlock scenario). The Binder protocol uses different message types (BR_DEAD_BINDER, BC_CLEAR_DEATH_NOTIFICATION, BC_DEAD_BINDER_DONE) to manage process death notifications between clients and the system, with loopers being threads that actively wait for and dispatch incoming messages.

RemediationAI

Apply the upstream fix by pulling commits dd109e3442817bc03ad1f3ffd541092f8c428141, 3be72099067d2cd4a0e089696f19780f75b2b88a, or 2e303f0febb65a434040774b793ba8356698802b from git.kernel.org/stable/, which resolve the issue by releasing the proc lock before calling set_notification_done() in the dead_binder_done() function. Users should upgrade their Linux kernel to a version containing this fix or apply the patch from the kernel stable branches. The fix requires no userspace changes and is compatible with standard Android Binder client implementations. For systems unable to immediately patch, disabling rust_binder (if an alternative binder implementation is available) would prevent triggering the vulnerability, though this is not a recommended long-term workaround.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky vulnerable 6.19.8-1 -
sid fixed 6.19.10-1 -
(unstable) fixed 6.19.10-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy