FKIE_CVE-2026-23194

Vulnerability from fkie_nvd - Published: 2026-02-14 17:15 - Updated: 2026-02-18 17:52
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used `skip == 0` to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty FDA. If the FDA is at the end of the buffer, then this results in an attempt to write 8-bytes out of bounds. This is caught and results in an EINVAL error being returned to userspace. The pattern of using `skip == 0` as a special value originates from the C-implementation of Binder. As part of fixing this bug, this pattern is replaced with a Rust enum. I considered the alternate option of not pushing a fixup when the length is zero, but I think it's cleaner to just get rid of the zero-is-special stuff. The root cause of this bug was diagnosed by Gemini CLI on first try. I used the following prompt: > There appears to be a bug in @drivers/android/binder/thread.rs where > the Fixups oob bug is triggered with 316 304 316 324. This implies > that we somehow ended up with a fixup where buffer A has a pointer to > buffer B, but the pointer is located at an index in buffer A that is > out of bounds. Please investigate the code to find the bug. You may > compare with @drivers/android/binder.c that implements this correctly.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/598fe3ff32e43918ed8a062f55432b3d23e6340c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8f589c9c3be539d6c2b393c82940c3783831082f
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: correctly handle FDA objects of length zero\n\nFix a bug where an empty FDA (fd array) object with 0 fds would cause an\nout-of-bounds error. The previous implementation used `skip == 0` to\nmean \"this is a pointer fixup\", but 0 is also the correct skip length\nfor an empty FDA. If the FDA is at the end of the buffer, then this\nresults in an attempt to write 8-bytes out of bounds. This is caught and\nresults in an EINVAL error being returned to userspace.\n\nThe pattern of using `skip == 0` as a special value originates from the\nC-implementation of Binder. As part of fixing this bug, this pattern is\nreplaced with a Rust enum.\n\nI considered the alternate option of not pushing a fixup when the length\nis zero, but I think it\u0027s cleaner to just get rid of the zero-is-special\nstuff.\n\nThe root cause of this bug was diagnosed by Gemini CLI on first try. I\nused the following prompt:\n\n\u003e There appears to be a bug in @drivers/android/binder/thread.rs where\n\u003e the Fixups oob bug is triggered with 316 304 316 324. This implies\n\u003e that we somehow ended up with a fixup where buffer A has a pointer to\n\u003e buffer B, but the pointer is located at an index in buffer A that is\n\u003e out of bounds. Please investigate the code to find the bug. You may\n\u003e compare with @drivers/android/binder.c that implements this correctly."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nrust_binder: manejar correctamente los objetos FDA de longitud cero\n\nSe corrige un error donde un objeto FDA (matriz de descriptores de archivo) vac\u00edo con 0 descriptores de archivo causar\u00eda un error de fuera de l\u00edmites. La implementaci\u00f3n anterior utilizaba \u0027skip == 0\u0027 para significar \u0027esto es una correcci\u00f3n de puntero\u0027, pero 0 es tambi\u00e9n la longitud de salto correcta para un FDA vac\u00edo. Si el FDA est\u00e1 al final del b\u00fafer, entonces esto resulta en un intento de escribir 8 bytes fuera de los l\u00edmites. Esto es detectado y resulta en que se devuelve un error EINVAL al espacio de usuario.\n\nEl patr\u00f3n de usar \u0027skip == 0\u0027 como un valor especial se origina en la implementaci\u00f3n en C de Binder. Como parte de la correcci\u00f3n de este error, este patr\u00f3n es reemplazado con un enum de Rust.\n\nConsider\u00e9 la opci\u00f3n alternativa de no aplicar una correcci\u00f3n cuando la longitud es cero, pero creo que es m\u00e1s limpio simplemente eliminar lo de \"cero es especial\".\n\nLa causa ra\u00edz de este error fue diagnosticada por Gemini CLI al primer intento. Utilic\u00e9 el siguiente prompt:\n\n\u0026gt; Parece haber un error en @drivers/android/binder/thread.rs donde el error de fuera de l\u00edmites (oob) de Fixups se activa con 316 304 316 324. Esto implica que de alguna manera terminamos con una correcci\u00f3n donde el b\u00fafer A tiene un puntero al b\u00fafer B, pero el puntero est\u00e1 ubicado en un \u00edndice en el b\u00fafer A que est\u00e1 fuera de los l\u00edmites. Por favor, investigue el c\u00f3digo para encontrar el error. Puede comparar con @drivers/android/binder.c que implementa esto correctamente."
    }
  ],
  "id": "CVE-2026-23194",
  "lastModified": "2026-02-18T17:52:22.253",
  "metrics": {},
  "published": "2026-02-14T17:15:57.233",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/598fe3ff32e43918ed8a062f55432b3d23e6340c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8f589c9c3be539d6c2b393c82940c3783831082f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.