CVE-2026-43433
Received Received - Intake
Linux Kernel TOCTOU Race Condition in Binder

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are read back from there. This is normally fine because the vma is a read-only mapping, so the target process cannot change the value under us. However, if the target process somehow gains the ability to write to its own vma, it could change the offset before it's read back, causing the kernel to misinterpret what the sender meant. If the sender happens to send a payload with a specific shape, this could in the worst case lead to the receiver being able to privilege escalate into the sender. The intent is that gaining the ability to change the read-only vma of your own process should not be exploitable, so remove this TOCTOU read even though it's unexploitable without another Binder bug.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43433
EUVD
EUVD-2026-28739
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's rust_binder component. When sending a transaction, an offsets array is copied into the target process's virtual memory area (vma), which is normally read-only. The kernel then reads back the values from this vma. However, if the target process can write to its own vma, it could alter the offsets before they are read back, causing the kernel to misinterpret the sender's intent.

Although this scenario requires the target process to have the ability to write to its own normally read-only vma, if exploited with a specially crafted payload, it could allow the receiver process to escalate privileges into the sender process.

The fix removes this time-of-check to time-of-use (TOCTOU) read to prevent this potential exploit, even though it is not exploitable without another Binder bug.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow a process receiving a transaction to escalate its privileges into the sender process. This means an attacker could potentially gain higher privileges or access rights than intended, leading to unauthorized actions within the system.

However, exploitation requires the target process to have the ability to write to its own normally read-only memory area, which is not normally possible without another underlying Binder vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by avoiding reading the written value in the offsets array during rust_binder transactions.

To mitigate this vulnerability, you should update your Linux kernel to the version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart