CVE-2026-23184
Unknown Unknown - Not Provided
Use-After-Free Vulnerability in Linux Binder Netlink Report Function

Publication date: 2026-02-14

Last updated on: 2026-04-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF in binder_netlink_report() Oneway transactions sent to frozen targets via binder_proc_transaction() return a BR_TRANSACTION_PENDING_FROZEN error but they are still treated as successful since the target is expected to thaw at some point. It is then not safe to access 't' after BR_TRANSACTION_PENDING_FROZEN errors as the transaction could have been consumed by the now thawed target. This is the case for binder_netlink_report() which derreferences 't' after a pending frozen error, as pointed out by the following KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in binder_netlink_report.isra.0+0x694/0x6c8 Read of size 8 at addr ffff00000f98ba38 by task binder-util/522 CPU: 4 UID: 0 PID: 522 Comm: binder-util Not tainted 6.19.0-rc6-00015-gc03e9c42ae8f #1 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_netlink_report.isra.0+0x694/0x6c8 binder_transaction+0x66e4/0x79b8 binder_thread_write+0xab4/0x4440 binder_ioctl+0x1fd4/0x2940 [...] Allocated by task 522: __kmalloc_cache_noprof+0x17c/0x50c binder_transaction+0x584/0x79b8 binder_thread_write+0xab4/0x4440 binder_ioctl+0x1fd4/0x2940 [...] Freed by task 488: kfree+0x1d0/0x420 binder_free_transaction+0x150/0x234 binder_thread_read+0x2d08/0x3ce4 binder_ioctl+0x488/0x2940 [...] ================================================================== Instead, make a transaction copy so the data can be safely accessed by binder_netlink_report() after a pending frozen error. While here, add a comment about not using t->buffer in binder_netlink_report().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-04-03
Generated
2026-05-07
AI Q&A
2026-02-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23184
EUVD
EUVD-2026-5858
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.18 (inc) to 6.18.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free (UAF) issue in the Linux kernel's binder subsystem, specifically in the binder_netlink_report() function.

When oneway transactions are sent to frozen targets via binder_proc_transaction(), they return a BR_TRANSACTION_PENDING_FROZEN error but are still treated as successful because the target is expected to thaw later. However, accessing the transaction object 't' after this error is unsafe because the transaction might have been consumed by the thawed target.

In this case, binder_netlink_report() dereferences 't' after a pending frozen error, leading to a use-after-free condition as confirmed by a Kernel Address Sanitizer (KASAN) report.

The fix involves making a copy of the transaction so that binder_netlink_report() can safely access the data even after a pending frozen error, avoiding the unsafe use of the original transaction buffer.


How can this vulnerability impact me? :

A use-after-free vulnerability like this can lead to undefined behavior in the kernel, including potential crashes, data corruption, or security breaches.

Since the binder subsystem is involved in inter-process communication in the Linux kernel, exploitation of this vulnerability could allow an attacker to execute arbitrary code or cause denial of service by triggering kernel memory corruption.

This could impact system stability and security, especially on systems relying on the Linux kernel for critical operations.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a use-after-free (UAF) error in the Linux kernel's binder_netlink_report() function, which can be detected by monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating slab-use-after-free errors related to binder_netlink_report.

To detect this on your system, you can check the kernel logs for relevant error messages. For example, use the following command to search for binder_netlink_report related KASAN errors:

  • dmesg | grep binder_netlink_report

Additionally, monitoring for binder-related errors or unusual binder transactions in the kernel logs may help identify attempts to exploit this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by modifying the binder_netlink_report() function to make a transaction copy so that data can be safely accessed after a pending frozen error, preventing use-after-free conditions.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability (post 6.19.0-rc6-00015-gc03e9c42ae8f or later).
  • If updating is not immediately possible, consider restricting access to binder interfaces or limiting untrusted processes from sending oneway transactions to frozen targets.
  • Monitor kernel logs for signs of exploitation attempts and apply security best practices to minimize exposure.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart