{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23194","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.985Z","datePublished":"2026-02-14T16:27:20.944Z","dateUpdated":"2026-05-11T22:02:08.665Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:02:08.665Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: correctly handle FDA objects of length zero\n\nFix a bug where an empty FDA (fd array) object with 0 fds would cause an\nout-of-bounds error. The previous implementation used `skip == 0` to\nmean \"this is a pointer fixup\", but 0 is also the correct skip length\nfor an empty FDA. If the FDA is at the end of the buffer, then this\nresults in an attempt to write 8-bytes out of bounds. This is caught and\nresults in an EINVAL error being returned to userspace.\n\nThe pattern of using `skip == 0` as a special value originates from the\nC-implementation of Binder. As part of fixing this bug, this pattern is\nreplaced with a Rust enum.\n\nI considered the alternate option of not pushing a fixup when the length\nis zero, but I think it's cleaner to just get rid of the zero-is-special\nstuff.\n\nThe root cause of this bug was diagnosed by Gemini CLI on first try. I\nused the following prompt:\n\n> There appears to be a bug in @drivers/android/binder/thread.rs where\n> the Fixups oob bug is triggered with 316 304 316 324. This implies\n> that we somehow ended up with a fixup where buffer A has a pointer to\n> buffer B, but the pointer is located at an index in buffer A that is\n> out of bounds. Please investigate the code to find the bug. You may\n> compare with @drivers/android/binder.c that implements this correctly."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder/thread.rs"],"versions":[{"version":"eafedbc7c050c44744fbdf80bdf3315e860b7513","lessThan":"598fe3ff32e43918ed8a062f55432b3d23e6340c","status":"affected","versionType":"git"},{"version":"eafedbc7c050c44744fbdf80bdf3315e860b7513","lessThan":"8f589c9c3be539d6c2b393c82940c3783831082f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder/thread.rs"],"versions":[{"version":"6.18","status":"affected"},{"version":"0","lessThan":"6.18","status":"unaffected","versionType":"semver"},{"version":"6.18.10","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.18.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/598fe3ff32e43918ed8a062f55432b3d23e6340c"},{"url":"https://git.kernel.org/stable/c/8f589c9c3be539d6c2b393c82940c3783831082f"}],"title":"rust_binder: correctly handle FDA objects of length zero","x_generator":{"engine":"bippy-1.2.0"}}}}