{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23184", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.984Z", "datePublished": "2026-02-14T16:27:14.167Z", "dateUpdated": "2026-05-11T22:01:56.849Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:01:56.849Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF in binder_netlink_report()\n\nOneway transactions sent to frozen targets via binder_proc_transaction()\nreturn a BR_TRANSACTION_PENDING_FROZEN error but they are still treated\nas successful since the target is expected to thaw at some point. It is\nthen not safe to access 't' after BR_TRANSACTION_PENDING_FROZEN errors\nas the transaction could have been consumed by the now thawed target.\n\nThis is the case for binder_netlink_report() which derreferences 't'\nafter a pending frozen error, as pointed out by the following KASAN\nreport:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in binder_netlink_report.isra.0+0x694/0x6c8\n Read of size 8 at addr ffff00000f98ba38 by task binder-util/522\n\n CPU: 4 UID: 0 PID: 522 Comm: binder-util Not tainted 6.19.0-rc6-00015-gc03e9c42ae8f #1 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n binder_netlink_report.isra.0+0x694/0x6c8\n binder_transaction+0x66e4/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Allocated by task 522:\n __kmalloc_cache_noprof+0x17c/0x50c\n binder_transaction+0x584/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Freed by task 488:\n kfree+0x1d0/0x420\n binder_free_transaction+0x150/0x234\n binder_thread_read+0x2d08/0x3ce4\n binder_ioctl+0x488/0x2940\n [...]\n ==================================================================\n\nInstead, make a transaction copy so the data can be safely accessed by\nbinder_netlink_report() after a pending frozen error. While here, add a\ncomment about not using t->buffer in binder_netlink_report()."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/android/binder.c"], "versions": [{"version": "63740349eba78f242bcbf60d5244d7f2b2600853", "lessThan": "a6050dedb6f1cc23e518e3a132ab74a0aad6df90", "status": "affected", "versionType": "git"}, {"version": "63740349eba78f242bcbf60d5244d7f2b2600853", "lessThan": "5e8a3d01544282e50d887d76f30d1496a0a53562", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/android/binder.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a6050dedb6f1cc23e518e3a132ab74a0aad6df90"}, {"url": "https://git.kernel.org/stable/c/5e8a3d01544282e50d887d76f30d1496a0a53562"}], "title": "binder: fix UAF in binder_netlink_report()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "32F6354D-FB80-4DEC-B5BD-29DA22C31C55", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF in binder_netlink_report()\n\nOneway transactions sent to frozen targets via binder_proc_transaction()\nreturn a BR_TRANSACTION_PENDING_FROZEN error but they are still treated\nas successful since the target is expected to thaw at some point. It is\nthen not safe to access 't' after BR_TRANSACTION_PENDING_FROZEN errors\nas the transaction could have been consumed by the now thawed target.\n\nThis is the case for binder_netlink_report() which derreferences 't'\nafter a pending frozen error, as pointed out by the following KASAN\nreport:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in binder_netlink_report.isra.0+0x694/0x6c8\n Read of size 8 at addr ffff00000f98ba38 by task binder-util/522\n\n CPU: 4 UID: 0 PID: 522 Comm: binder-util Not tainted 6.19.0-rc6-00015-gc03e9c42ae8f #1 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n binder_netlink_report.isra.0+0x694/0x6c8\n binder_transaction+0x66e4/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Allocated by task 522:\n __kmalloc_cache_noprof+0x17c/0x50c\n binder_transaction+0x584/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Freed by task 488:\n kfree+0x1d0/0x420\n binder_free_transaction+0x150/0x234\n binder_thread_read+0x2d08/0x3ce4\n binder_ioctl+0x488/0x2940\n [...]\n ==================================================================\n\nInstead, make a transaction copy so the data can be safely accessed by\nbinder_netlink_report() after a pending frozen error. While here, add a\ncomment about not using t->buffer in binder_netlink_report()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbinder: corregir UAF en binder_netlink_report()\n\nLas transacciones unidireccionales enviadas a objetivos congelados a trav\u00e9s de binder_proc_transaction() devuelven un error BR_TRANSACTION_PENDING_FROZEN pero a\u00fan se tratan como exitosas ya que se espera que el objetivo se descongele en alg\u00fan momento. Por lo tanto, no es seguro acceder a 't' despu\u00e9s de errores BR_TRANSACTION_PENDING_FROZEN, ya que la transacci\u00f3n podr\u00eda haber sido consumida por el objetivo ahora descongelado.\n\nEste es el caso de binder_netlink_report() que desreferencia 't' despu\u00e9s de un error de congelaci\u00f3n pendiente, como lo se\u00f1ala el siguiente informe KASAN:\n\n ==================================================================\n ERROR: KASAN: uso despu\u00e9s de liberaci\u00f3n de slab en binder_netlink_report.isra.0+0x694/0x6c8\n Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff00000f98ba38 por la tarea binder-util/522\n\n CPU: 4 UID: 0 PID: 522 Comm: binder-util No contaminado 6.19.0-rc6-00015-gc03e9c42ae8f #1 PREEMPT\n Nombre del hardware: linux,dummy-virt (DT)\n Rastro de llamada:\n binder_netlink_report.isra.0+0x694/0x6c8\n binder_transaction+0x66e4/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Asignado por la tarea 522:\n __kmalloc_cache_noprof+0x17c/0x50c\n binder_transaction+0x584/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Liberado por la tarea 488:\n kfree+0x1d0/0x420\n binder_free_transaction+0x150/0x234\n binder_thread_read+0x2d08/0x3ce4\n binder_ioctl+0x488/0x2940\n [...]\n ==================================================================\n\nEn su lugar, haga una copia de la transacci\u00f3n para que los datos puedan ser accedidos de forma segura por binder_netlink_report() despu\u00e9s de un error de congelaci\u00f3n pendiente. Ya que estamos, a\u00f1ada un comentario sobre no usar t->buffer en binder_netlink_report()."}], "id": "CVE-2026-23184", "lastModified": "2026-04-03T14:16:26.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T17:15:56.167", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5e8a3d01544282e50d887d76f30d1496a0a53562"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a6050dedb6f1cc23e518e3a132ab74a0aad6df90"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: binder: fix UAF in binder_netlink_report()", "id": "2439920", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439920"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23184", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23184\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23184\nhttps://lore.kernel.org/linux-cve-announce/2026021430-CVE-2026-23184-a1f1@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[63740349eba78f242bcbf60d5244d7f2b2600853,a6050dedb6f1cc23e518e3a132ab74a0aad6df90)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[63740349eba78f242bcbf60d5244d7f2b2600853,5e8a3d01544282e50d887d76f30d1496a0a53562)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.18,6.18]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-16T00:44:29.770467+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that contains the binder_netlink_report use\u2011after\u2011free fix (any release newer than 6.19 rc8).", "If kernel updates are not immediately possible, disable binder support or any services that use the binder interface on the affected system to eliminate the attack surface until a patch is available.", "Continuously monitor system logs for KASAN or OOPS messages related to binder operations, and plan to upgrade the kernel as soon as updates become available."], "summary": {"action": "Apply patch", "impact": "Kernel Crash / Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected system: Linux kernel. All shipped kernel releases that include the binder subsystem and match kernel versions 6.19 rc1 through rc8, as enumerated by the provided CPE identifiers. Systems running any unsupported or older 6.19 release before the rc9 revision are vulnerable; later stable releases (6.19 onwards) where the patch has been applied are safe.", "description_and_impact": "The vulnerability arises in the Linux kernel binder subsystem, where a use\u2011after\u2011free occurs in binder_netlink_report() after a pending frozen transaction error. The code dereferences a transaction structure that may have already been freed, leading to a memory corruption that triggers a KASAN report and can crash the kernel, resulting in a denial of service for the host system. This flaw is identified as a classic CWE\u2011416 use\u2011after\u2011free bug.", "risk_and_exploitability": "The CVSS score of 7.8 denotes high severity. The EPSS score of less than 1\u202f% indicates a low probability of exploitation as of the latest data, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local access to the binder interface, for example through user\u2011level binder tools or applications that initiate one\u2011way transactions to frozen targets, which could trigger the crash. Because the impact is a kernel crash, the risk is significant for exposed services. Applying the available kernel update mitigates the issue entirely."}}}}, "created": "2026-02-16T09:43:51.719310+00:00", "updated": "2026-04-16T00:45:15.977102+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}