SB2026033014 - Memory corruption in Linux kernel android binder driver

Description

This security bulletin contains information about 1 security vulnerability.

1) Memory corruption (CVE-ID: CVE-2026-23400)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking mechanism in the rust_binder component when handling BC_DEAD_BINDER_DONE commands. A local user can send a specially crafted command sequence involving BC_CLEAR_DEATH_NOTIFICATION and BC_DEAD_BINDER_DONE to cause a deadlock in the kernel, resulting in a denial of service.

The issue arises when set_notification_done() is called without releasing the proc lock, leading to a potential deadlock if the current thread is not a looper, as the fallback path attempts to reacquire the proc lock.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/2e303f0febb65a434040774b793ba8356698802b
• https://git.kernel.org/stable/c/3be72099067d2cd4a0e089696f19780f75b2b88a
• https://git.kernel.org/stable/c/dd109e3442817bc03ad1f3ffd541092f8c428141