Skip to main content

Linux Kernel EUVDEUVD-2026-28739

| CVE-2026-43433 HIGH
2026-05-08 Linux GHSA-9ccw-3qr7-6wpp
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:34 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: avoid reading the written value in offsets array

When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are read back from there. This is normally fine because the vma is a read-only mapping, so the target process cannot change the value under us.

However, if the target process somehow gains the ability to write to its own vma, it could change the offset before it's read back, causing the kernel to misinterpret what the sender meant. If the sender happens to send a payload with a specific shape, this could in the worst case lead to the receiver being able to privilege escalate into the sender.

The intent is that gaining the ability to change the read-only vma of your own process should not be exploitable, so remove this TOCTOU read even though it's unexploitable without another Binder bug.

AnalysisAI

Time-of-check-to-time-of-use (TOCTOU) race condition in Linux kernel's rust_binder implementation allows local authenticated attackers with low privileges to escalate privileges. The flaw exists in transaction offset array handling where values copied to a target process's read-only VMA are read back without protection against concurrent modification. If an attacker can write to their own supposedly read-only VMA through a separate vulnerability, they can modify offsets between write and read operations, causing the kernel to misinterpret transaction data and potentially enabling privilege escalation into the sending process. Patch available in kernel versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% suggests limited real-world exploitation likelihood despite CVSS 7.8 severity.

Technical ContextAI

The vulnerability resides in the rust_binder module, a Rust implementation of Android's Binder IPC mechanism integrated into the Linux kernel. Binder transactions involve copying an offsets array into a target process's virtual memory area (VMA), which is mapped read-only to prevent tampering. The code then reads these offsets back from the VMA to interpret transaction structure. The TOCTOU race window exists between the write to VMA and the subsequent read. The affected CPE strings (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) indicate this impacts the Linux kernel project broadly. The vulnerability requires the presence of rust_binder functionality, which was introduced in kernel 6.18 based on EUVD version data. Exploitation requires chaining with another vulnerability that breaks the VMA read-only protection, making this a defense-in-depth issue rather than a directly exploitable flaw in isolation.

RemediationAI

Upgrade to patched Linux kernel versions 6.18.19, 6.19.9, or 7.0 or later, which contain fixes for the rust_binder TOCTOU vulnerability. Patches are available from the Linux kernel stable tree: commit e19afb53f7723b3bd22224f2b0c7dcfa70bb973f for 6.18.x series, commit 3672141c93b7a0c0132bf5d5021a4b7f1d663aaa for 6.19.x series, and commit 4cb9e13fec0de7c942f5f927469beb8e48ddd20f for mainline 7.0. Full advisory details at https://nvd.nist.gov/vuln/detail/CVE-2026-43433. For systems that cannot immediately upgrade, consider disabling rust_binder functionality if not required (check if CONFIG_RUST_BINDER is enabled in kernel config) - note this will break Android container compatibility and any applications depending on Binder IPC. Alternatively, implement mandatory access control policies (SELinux, AppArmor) to restrict which processes can use Binder IPC, reducing the attack surface to trusted processes only, though this provides only partial mitigation as the TOCTOU race still exists. No workaround fully addresses the root cause; kernel upgrade is the definitive remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy