HIGH
binder FDA Buffer OOB
CVE-2026-23194
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used `skip == 0` to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty FDA. If the FDA is at the end of the buffer, then this results in an attempt to write 8-bytes out of bounds. This is caught and results in an EINVAL error being returned to userspace. The pattern of using `skip == 0` as a special value originates from the C-implementation of Binder. As part of fixing this bug, this pattern is replaced with a Rust enum. I considered the alternate option of not pushing a fixup when the length is zero, but I think it's cleaner to just get rid of the zero-is-special stuff. The root cause of this bug was diagnosed by Gemini CLI on first try. I used the following prompt: > There appears to be a bug in @drivers/android/binder/thread.rs where > the Fixups oob bug is triggered with 316 304 316 324. This implies > that we somehow ended up with a fixup where buffer A has a pointer to > buffer B, but the pointer is located at an index in buffer A that is > out of bounds. Please investigate the code to find the bug. You may > compare with @drivers/android/binder.c that implements this correctly.
02KernelScan AI Analysis
Risk summary
A programming logic error in the Rust Binder driver could cause out-of-bounds memory writes when processing empty file descriptor arrays. While the kernel's bounds checking prevents actual memory corruption, this bug causes legitimate Android IPC operations to fail with errors, potentially disrupting Android system functionality and applications that rely on Binder communication.
Vulnerability analysis
Root Cause: The Rust Binder driver incorrectly used `skip == 0` as a special value to distinguish between pointer fixups and FDA (file descriptor array) objects. However, an empty FDA with 0 file descriptors also has a legitimate skip length of 0, creating ambiguity. When an empty FDA object was positioned at the end of a buffer, the code would attempt to write 8 bytes out of bounds, treating it as a pointer fixup instead of a skip operation.
Attack Surface: This vulnerability affects the Android Binder IPC mechanism, which is accessible to any process that can perform Binder transactions. The bug is triggered when userspace sends a malformed transaction containing an empty FDA object at the end of a buffer. The out-of-bounds write is caught by kernel bounds checking and returns EINVAL to userspace, preventing exploitation but causing legitimate operations to fail.
Fix Mechanism: The patch replaces the ambiguous `skip == 0` pattern with a proper Rust enum `PointerFixupEntry` that has two variants: `Fixup` for pointer operations and `Skip` for FDA operations. This eliminates the special-case handling and provides type-safe distinction between the two operation types. The fix also updates all related code paths to use pattern matching on the enum variants instead of checking the skip value.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.10 | 598fe3ff32e4 |
| mainline | 6.19 | 8f589c9c3be5 |