CVE-2026-23194
Unknown Unknown - Not Provided
Out-of-Bounds Write in Linux Kernel rust_binder FDA Handling

Publication date: 2026-02-14

Last updated on: 2026-03-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used `skip == 0` to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty FDA. If the FDA is at the end of the buffer, then this results in an attempt to write 8-bytes out of bounds. This is caught and results in an EINVAL error being returned to userspace. The pattern of using `skip == 0` as a special value originates from the C-implementation of Binder. As part of fixing this bug, this pattern is replaced with a Rust enum. I considered the alternate option of not pushing a fixup when the length is zero, but I think it's cleaner to just get rid of the zero-is-special stuff. The root cause of this bug was diagnosed by Gemini CLI on first try. I used the following prompt: > There appears to be a bug in @drivers/android/binder/thread.rs where > the Fixups oob bug is triggered with 316 304 316 324. This implies > that we somehow ended up with a fixup where buffer A has a pointer to > buffer B, but the pointer is located at an index in buffer A that is > out of bounds. Please investigate the code to find the bug. You may > compare with @drivers/android/binder.c that implements this correctly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23194
EUVD
EUVD-2026-5850
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.18 (inc) to 6.18.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a bug in the Linux kernel's rust_binder component related to handling FDA (file descriptor array) objects of length zero.

The issue occurs because the code incorrectly treats a skip value of zero as a special pointer fixup indicator, but zero is also a valid skip length for an empty FDA object.

When an empty FDA is at the end of a buffer, this causes an out-of-bounds write of 8 bytes, which is caught and results in an EINVAL error returned to userspace.

The fix involved replacing the zero-is-special pattern with a Rust enum to correctly handle empty FDA objects and prevent out-of-bounds errors.

Impact Analysis

This vulnerability can cause an out-of-bounds write in the Linux kernel when handling empty FDA objects, potentially leading to kernel errors.

The out-of-bounds write is caught and results in an error (EINVAL) returned to userspace, which may cause application failures or instability.

While the description does not explicitly mention security impacts like privilege escalation or denial of service, out-of-bounds writes in kernel code can sometimes be exploited to cause crashes or other unintended behavior.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart