{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43435", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:56.009Z", "datePublished": "2026-05-08T14:22:05.921Z", "dateUpdated": "2026-05-11T22:24:32.185Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:24:32.185Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: fix oneway spam detection\n\nThe spam detection logic in TreeRange was executed before the current\nrequest was inserted into the tree. So the new request was not being\nfactored in the spam calculation. Fix this by moving the logic after\nthe new range has been inserted.\n\nAlso, the detection logic for ArrayRange was missing altogether which\nmeant large spamming transactions could get away without being detected.\nFix this by implementing an equivalent low_oneway_space() in ArrayRange.\n\nNote that I looked into centralizing this logic in RangeAllocator but\niterating through 'state' and 'size' got a bit too complicated (for me)\nand I abandoned this effort."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/android/binder/range_alloc/array.rs", "drivers/android/binder/range_alloc/mod.rs", "drivers/android/binder/range_alloc/tree.rs"], "versions": [{"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513", "lessThan": "edf685946c4acbe57cb96f8d5f3c07e9a2e973c8", "status": "affected", "versionType": "git"}, {"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513", "lessThan": "8d34c993a9a156e657e43cb95186980745cc3597", "status": "affected", "versionType": "git"}, {"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513", "lessThan": "4fc87c240b8f30e22b7ebaae29d57105589e1c0b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/android/binder/range_alloc/array.rs", "drivers/android/binder/range_alloc/mod.rs", "drivers/android/binder/range_alloc/tree.rs"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/edf685946c4acbe57cb96f8d5f3c07e9a2e973c8"}, {"url": "https://git.kernel.org/stable/c/8d34c993a9a156e657e43cb95186980745cc3597"}, {"url": "https://git.kernel.org/stable/c/4fc87c240b8f30e22b7ebaae29d57105589e1c0b"}], "title": "rust_binder: fix oneway spam detection", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: fix oneway spam detection\n\nThe spam detection logic in TreeRange was executed before the current\nrequest was inserted into the tree. So the new request was not being\nfactored in the spam calculation. Fix this by moving the logic after\nthe new range has been inserted.\n\nAlso, the detection logic for ArrayRange was missing altogether which\nmeant large spamming transactions could get away without being detected.\nFix this by implementing an equivalent low_oneway_space() in ArrayRange.\n\nNote that I looked into centralizing this logic in RangeAllocator but\niterating through 'state' and 'size' got a bit too complicated (for me)\nand I abandoned this effort."}], "id": "CVE-2026-43435", "lastModified": "2026-05-12T14:10:27.343", "metrics": {}, "published": "2026-05-08T15:16:55.827", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4fc87c240b8f30e22b7ebaae29d57105589e1c0b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8d34c993a9a156e657e43cb95186980745cc3597"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/edf685946c4acbe57cb96f8d5f3c07e9a2e973c8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: rust_binder: fix oneway spam detection", "id": "2468195", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468195"}, "csaw": false, "cwe": "CWE-770", "details": ["A flaw was found in the Linux kernel's rust_binder component. The oneway spam detection logic in both TreeRange and ArrayRange was incorrectly implemented or missing, allowing large spamming transactions to go undetected. A local attacker could exploit this vulnerability to cause a Denial of Service (DoS) by overwhelming system resources with undetected spamming transactions."], "name": "CVE-2026-43435", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43435\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43435\nhttps://lore.kernel.org/linux-cve-announce/2026050852-CVE-2026-43435-9f8d@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[eafedbc7c050c44744fbdf80bdf3315e860b7513,edf685946c4acbe57cb96f8d5f3c07e9a2e973c8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[eafedbc7c050c44744fbdf80bdf3315e860b7513,8d34c993a9a156e657e43cb95186980745cc3597)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[eafedbc7c050c44744fbdf80bdf3315e860b7513,4fc87c240b8f30e22b7ebaae29d57105589e1c0b)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.19,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.9,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-05-08T19:15:14.590578+00:00", "updated": "2026-05-09T17:30:38.221322+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}