Skip to main content

Linux Kernel EUVDEUVD-2026-28740

| CVE-2026-43434 HIGH
2026-05-08 Linux GHSA-8r2v-c988-jpq4
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:34 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: check ownership before using vma

When installing missing pages (or zapping them), Rust Binder will look up the vma in the mm by address, and then call vm_insert_page (or zap_page_range_single). However, if the vma is closed and replaced with a different vma at the same address, this can lead to Rust Binder installing pages into the wrong vma.

By installing the page into a writable vma, it becomes possible to write to your own binder pages, which are normally read-only. Although you're not supposed to be able to write to those pages, the intent behind the design of Rust Binder is that even if you get that ability, it should not lead to anything bad. Unfortunately, due to another bug, that is not the case.

To fix this, store a pointer in vm_private_data and check that the vma returned by vma_lookup() has the right vm_ops and vm_private_data before trying to use the vma. This should ensure that Rust Binder will refuse to interact with any other VMA. The plan is to introduce more vma abstractions to avoid this unsafe access to vm_ops and vm_private_data, but for now let's start with the simplest possible fix.

C Binder performs the same check in a slightly different way: it provides a vm_ops->close that sets a boolean to true, then checks that boolean after calling vma_lookup(), but this is more fragile than the solution in this patch. (We probably still want to do both, but the vm_ops->close callback will be added later as part of the follow-up vma API changes.)

It's still possible to remap the vma so that pages appear in the right vma, but at the wrong offset, but this is a separate issue and will be fixed when Rust Binder gets a vm_ops->close callback.

AnalysisAI

Local privilege escalation in Linux kernel's Rust Binder allows authenticated users to write to normally read-only binder pages, potentially leading to memory corruption and arbitrary code execution. The vulnerability stems from improper VMA (Virtual Memory Area) ownership validation during page installation - if a VMA is closed and replaced at the same address, Rust Binder may install pages into the wrong VMA, converting read-only pages to writable. Affects Linux kernel 6.18+ with Rust Binder enabled. EPSS score of 0.02% suggests low observed exploitation probability. Vendor patches available (6.18.19, 6.19.9, 7.0) via kernel.org stable tree commits.

Technical ContextAI

This affects the Rust Binder IPC mechanism in recent Linux kernels (6.18+). Binder is Android's primary inter-process communication framework, now being reimplemented in Rust for memory safety. The vulnerability exploits a race condition in VMA lifecycle management: when Rust Binder's vm_insert_page or zap_page_range_single operations look up a VMA by address via vma_lookup(), they don't verify ownership. An attacker can close and replace the VMA at the same address between lookup and usage (TOCTOU issue), causing Rust Binder to install pages into an attacker-controlled writable VMA instead of the intended read-only Binder VMA. The root cause is insufficient validation of vm_ops and vm_private_data pointers before VMA operations. The fix adds explicit pointer checks to verify VMA identity. C Binder uses a different approach with vm_ops->close callbacks. CWE classification not provided by NVD, but this represents a race condition (CWE-362) leading to privilege escalation (CWE-269).

RemediationAI

Update to patched Linux kernel versions: 6.18.19, 6.19.9, or 7.0 and later. Patches implement VMA ownership validation by checking vm_ops and vm_private_data pointers before page operations, available via kernel.org stable tree at commits 20a01f20d1f4, 5a472d04fb4b, and 8ef2c15aeae0. For systems that cannot immediately patch, compensating controls include: (1) disable Rust Binder entirely by setting CONFIG_ANDROID_BINDER_IPC_RUST=n and recompiling the kernel if using C Binder or no Binder is acceptable, noting this breaks compatibility with Rust-based Android components, (2) restrict local user access via stricter authentication and privilege separation, though this only raises the bar rather than eliminating the vulnerability, (3) deploy kernel runtime integrity monitoring (e.g., seccomp-bpf filters, AppArmor/SELinux policies) to restrict mmap/munmap operations on Binder-related memory regions, which may cause compatibility issues with legitimate Binder clients. Note that workarounds provide incomplete protection against a determined local attacker. Verification: after patching, confirm the vm_private_data check exists in drivers/android/rust_binder.rs or the equivalent kernel module.

Vendor StatusVendor

Share

EUVD-2026-28740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy