{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23194", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.985Z", "datePublished": "2026-02-14T16:27:20.944Z", "dateUpdated": "2026-05-11T22:02:08.665Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:08.665Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: correctly handle FDA objects of length zero\n\nFix a bug where an empty FDA (fd array) object with 0 fds would cause an\nout-of-bounds error. The previous implementation used `skip == 0` to\nmean \"this is a pointer fixup\", but 0 is also the correct skip length\nfor an empty FDA. If the FDA is at the end of the buffer, then this\nresults in an attempt to write 8-bytes out of bounds. This is caught and\nresults in an EINVAL error being returned to userspace.\n\nThe pattern of using `skip == 0` as a special value originates from the\nC-implementation of Binder. As part of fixing this bug, this pattern is\nreplaced with a Rust enum.\n\nI considered the alternate option of not pushing a fixup when the length\nis zero, but I think it's cleaner to just get rid of the zero-is-special\nstuff.\n\nThe root cause of this bug was diagnosed by Gemini CLI on first try. I\nused the following prompt:\n\n> There appears to be a bug in @drivers/android/binder/thread.rs where\n> the Fixups oob bug is triggered with 316 304 316 324. This implies\n> that we somehow ended up with a fixup where buffer A has a pointer to\n> buffer B, but the pointer is located at an index in buffer A that is\n> out of bounds. Please investigate the code to find the bug. You may\n> compare with @drivers/android/binder.c that implements this correctly."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/android/binder/thread.rs"], "versions": [{"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513", "lessThan": "598fe3ff32e43918ed8a062f55432b3d23e6340c", "status": "affected", "versionType": "git"}, {"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513", "lessThan": "8f589c9c3be539d6c2b393c82940c3783831082f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/android/binder/thread.rs"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/598fe3ff32e43918ed8a062f55432b3d23e6340c"}, {"url": "https://git.kernel.org/stable/c/8f589c9c3be539d6c2b393c82940c3783831082f"}], "title": "rust_binder: correctly handle FDA objects of length zero", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "32F6354D-FB80-4DEC-B5BD-29DA22C31C55", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: correctly handle FDA objects of length zero\n\nFix a bug where an empty FDA (fd array) object with 0 fds would cause an\nout-of-bounds error. The previous implementation used `skip == 0` to\nmean \"this is a pointer fixup\", but 0 is also the correct skip length\nfor an empty FDA. If the FDA is at the end of the buffer, then this\nresults in an attempt to write 8-bytes out of bounds. This is caught and\nresults in an EINVAL error being returned to userspace.\n\nThe pattern of using `skip == 0` as a special value originates from the\nC-implementation of Binder. As part of fixing this bug, this pattern is\nreplaced with a Rust enum.\n\nI considered the alternate option of not pushing a fixup when the length\nis zero, but I think it's cleaner to just get rid of the zero-is-special\nstuff.\n\nThe root cause of this bug was diagnosed by Gemini CLI on first try. I\nused the following prompt:\n\n> There appears to be a bug in @drivers/android/binder/thread.rs where\n> the Fixups oob bug is triggered with 316 304 316 324. This implies\n> that we somehow ended up with a fixup where buffer A has a pointer to\n> buffer B, but the pointer is located at an index in buffer A that is\n> out of bounds. Please investigate the code to find the bug. You may\n> compare with @drivers/android/binder.c that implements this correctly."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nrust_binder: manejar correctamente los objetos FDA de longitud cero\n\nSe corrige un error donde un objeto FDA (matriz de descriptores de archivo) vac\u00edo con 0 descriptores de archivo causar\u00eda un error de fuera de l\u00edmites. La implementaci\u00f3n anterior utilizaba 'skip == 0' para significar 'esto es una correcci\u00f3n de puntero', pero 0 es tambi\u00e9n la longitud de salto correcta para un FDA vac\u00edo. Si el FDA est\u00e1 al final del b\u00fafer, entonces esto resulta en un intento de escribir 8 bytes fuera de los l\u00edmites. Esto es detectado y resulta en que se devuelve un error EINVAL al espacio de usuario.\n\nEl patr\u00f3n de usar 'skip == 0' como un valor especial se origina en la implementaci\u00f3n en C de Binder. Como parte de la correcci\u00f3n de este error, este patr\u00f3n es reemplazado con un enum de Rust.\n\nConsider\u00e9 la opci\u00f3n alternativa de no aplicar una correcci\u00f3n cuando la longitud es cero, pero creo que es m\u00e1s limpio simplemente eliminar lo de \"cero es especial\".\n\nLa causa ra\u00edz de este error fue diagnosticada por Gemini CLI al primer intento. Utilic\u00e9 el siguiente prompt:\n\n> Parece haber un error en @drivers/android/binder/thread.rs donde el error de fuera de l\u00edmites (oob) de Fixups se activa con 316 304 316 324. Esto implica que de alguna manera terminamos con una correcci\u00f3n donde el b\u00fafer A tiene un puntero al b\u00fafer B, pero el puntero est\u00e1 ubicado en un \u00edndice en el b\u00fafer A que est\u00e1 fuera de los l\u00edmites. Por favor, investigue el c\u00f3digo para encontrar el error. Puede comparar con @drivers/android/binder.c que implementa esto correctamente."}], "id": "CVE-2026-23194", "lastModified": "2026-03-19T17:47:30.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T17:15:57.233", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/598fe3ff32e43918ed8a062f55432b3d23e6340c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8f589c9c3be539d6c2b393c82940c3783831082f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: rust_binder: correctly handle FDA objects of length zero", "id": "2439901", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439901"}, "csaw": false, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nrust_binder: correctly handle FDA objects of length zero\nFix a bug where an empty FDA (fd array) object with 0 fds would cause an\nout-of-bounds error. The previous implementation used `skip == 0` to\nmean \"this is a pointer fixup\", but 0 is also the correct skip length\nfor an empty FDA. If the FDA is at the end of the buffer, then this\nresults in an attempt to write 8-bytes out of bounds. This is caught and\nresults in an EINVAL error being returned to userspace.\nThe pattern of using `skip == 0` as a special value originates from the\nC-implementation of Binder. As part of fixing this bug, this pattern is\nreplaced with a Rust enum.\nI considered the alternate option of not pushing a fixup when the length\nis zero, but I think it's cleaner to just get rid of the zero-is-special\nstuff.\nThe root cause of this bug was diagnosed by Gemini CLI on first try. I\nused the following prompt:\n> There appears to be a bug in @drivers/android/binder/thread.rs where\n> the Fixups oob bug is triggered with 316 304 316 324. This implies\n> that we somehow ended up with a fixup where buffer A has a pointer to\n> buffer B, but the pointer is located at an index in buffer A that is\n> out of bounds. Please investigate the code to find the bug. You may\n> compare with @drivers/android/binder.c that implements this correctly."], "name": "CVE-2026-23194", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23194\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23194\nhttps://lore.kernel.org/linux-cve-announce/2026021434-CVE-2026-23194-5976@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[eafedbc7c050c44744fbdf80bdf3315e860b7513,598fe3ff32e43918ed8a062f55432b3d23e6340c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[eafedbc7c050c44744fbdf80bdf3315e860b7513,8f589c9c3be539d6c2b393c82940c3783831082f)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "calver", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-18T12:13:56.662342+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the binder patch (e.g., 6.19 stable or later).", "If possible, modify applications to avoid sending empty FDA objects via Binder, or ensure that Binders are updated before use.", "After updating, restart services that depend on Binder IPC and monitor for EINVAL errors in system logs."], "summary": {"action": "Apply Patch", "impact": "Out-of-Bounds Write"}, "threat_synthesis": {"affected_systems": "All Linux kernel 6.19 release candidates from rc1 through rc8, as listed by the supplied CPE entries. Any derivative of the kernel that incorporates the same binder source before the patch is also affected.", "description_and_impact": "A bug in the Linux kernel\u2019s Binder module caused the Rust implementation to misinterpret an empty FDA (file descriptor array) object as a pointer fix\u2011up when the skip value was zero. The code then attempted to write eight bytes beyond the end of the buffer, triggering an out\u2011of\u2011bounds write. The kernel\u2019s bounds check prevented a crash, resulting instead in an EINVAL error returned to userspace. The flaw does not provide a direct path to code execution but could allow an attacker to cause kernel memory corruption or a denial\u2011of\u2011service.", "risk_and_exploitability": "With a CVSS score of 7.8 the issue is high severity, but the EPSS score is below 1\u202f% and the vulnerability is not in the CISA KEV catalog, indicating a low likelihood of exploitation in the wild. The most likely attack vector is local: an attacker who can invoke a Binder transaction that includes an empty FDA object, such as malicious applications on the same device, may trigger the out\u2011of\u2011bounds write. Because the kernel detects the overflow, only a denial\u2011of\u2011service or potential unstable state is expected, and no remote code execution is documented."}}}}, "created": "2026-02-16T09:43:39.808132+00:00", "updated": "2026-04-18T12:15:15.788942+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}