Main Vulnerability Database Vulnerabilities #VU130749

Time-of-check Time-of-use (TOCTOU) Race Condition in Linux kernel - CVE-2026-43433

Published: May 8, 2026

Vulnerability identifier: #VU130749

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-43433

CWE-ID: CWE-367

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Linux Foundation

Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a time-of-check time-of-use race condition in rust_binder transaction offsets array handling when sending a transaction and reading back offsets from the target process vma. A local user can modify the copied offsets before they are read back to escalate privileges.

Exploitation requires the target process to gain the ability to write to its own normally read-only binder vma and a payload with a specific shape.

How to mitigate CVE-2026-43433

Install security update from vendor's repository.

Time-of-check Time-of-use (TOCTOU) Race Condition in Linux kernel - CVE-2026-43433

Detailed vulnerability description

How to mitigate CVE-2026-43433

Sources

Please verify you're human