CVE-2026-23400

Description

In the Linux kernel, the following vulnerability has been resolved: rust_binder: call set_notification_done() without proc lock Consider the following sequence of events on a death listener: 1. The remote process dies and sends a BR_DEAD_BINDER message. 2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command. 3. The local process then invokes the BC_DEAD_BINDER_DONE. Then, the kernel will reply to the BC_DEAD_BINDER_DONE command with a BR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper(). However, this can result in a deadlock if the current thread is not a looper. This is because dead_binder_done() still holds the proc lock during set_notification_done(), which called push_work_if_looper(). Normally, push_work_if_looper() takes the thread lock, which is fine to take under the proc lock. But if the current thread is not a looper, then it falls back to delivering the reply to the process work queue, which involves taking the proc lock. Since the proc lock is already held, this is a deadlock. Fix this by releasing the proc lock during set_notification_done(). It was not intentional that it was held during that function to begin with. I don't think this ever happens in Android because BC_DEAD_BINDER_DONE is only invoked in response to BR_DEAD_BINDER messages, and the kernel always delivers BR_DEAD_BINDER to a looper. So there's no scenario where Android userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE

Linux Kernel (包含rust_binder组件的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-23400: Rust Binder Deadlock
 * This is a conceptual reproduction of the deadlock sequence.
 * Requires a kernel with rust_binder enabled.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>

#define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read)
// Simplified definitions for binder commands
#define BC_DEAD_BINDER_DONE 0x10
#define BC_CLEAR_DEATH_NOTIFICATION 0x11

void trigger_deadlock(int fd) {
    // This sequence must be executed on a thread that is NOT a looper
    // to trigger the deadlock logic described in the CVE.
    
    struct {
        uint32_t cmd;
        void *ptr;
    } data;

    // Step 1: Assume BR_DEAD_BINDER was received previously
    // Step 2: Invoke BC_CLEAR_DEATH_NOTIFICATION
    data.cmd = BC_CLEAR_DEATH_NOTIFICATION;
    data.ptr = (void *)0xdeadbeef; // Mock pointer
    ioctl(fd, BINDER_WRITE_READ, &data);

    // Step 3: Invoke BC_DEAD_BINDER_DONE
    // This triggers the path where dead_binder_done holds proc lock
    // and tries to push work to the process queue (needs proc lock again).
    data.cmd = BC_DEAD_BINDER_DONE;
    data.ptr = (void *)0xdeadbeef;
    ioctl(fd, BINDER_WRITE_READ, &data);
}

int main() {
    // Implementation to open /dev/binder and setup context is omitted
    // for brevity, as this focuses on the specific command sequence.
    printf("Attempting to trigger CVE-2026-23400 deadlock...\n");
    // trigger_deadlock(binder_fd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23400
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23400
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23400/
[4] VulDB https://vuldb.com/cve/CVE-2026-23400
[5] https://git.kernel.org/stable/c/2e303f0febb65a434040774b793ba8356698802b
[6] https://git.kernel.org/stable/c/3be72099067d2cd4a0e089696f19780f75b2b88a
[7] https://git.kernel.org/stable/c/dd109e3442817bc03ad1f3ffd541092f8c428141

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23400", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-29T13:16:58.920", "lastModified": "2026-04-24T15:17:32.797", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: call set_notification_done() without proc lock\n\nConsider the following sequence of events on a death listener:\n1. The remote process dies and sends a BR_DEAD_BINDER message.\n2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.\n3. The local process then invokes the BC_DEAD_BINDER_DONE.\nThen, the kernel will reply to the BC_DEAD_BINDER_DONE command with a\nBR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().\n\nHowever, this can result in a deadlock if the current thread is not a\nlooper. This is because dead_binder_done() still holds the proc lock\nduring set_notification_done(), which called push_work_if_looper().\nNormally, push_work_if_looper() takes the thread lock, which is fine to\ntake under the proc lock. But if the current thread is not a looper,\nthen it falls back to delivering the reply to the process work queue,\nwhich involves taking the proc lock. Since the proc lock is already\nheld, this is a deadlock.\n\nFix this by releasing the proc lock during set_notification_done(). It\nwas not intentional that it was held during that function to begin with.\n\nI don't think this ever happens in Android because BC_DEAD_BINDER_DONE\nis only invoked in response to BR_DEAD_BINDER messages, and the kernel\nalways delivers BR_DEAD_BINDER to a looper. So there's no scenario where\nAndroid userspace will call BC_DEAD_BINDER_DONE on a non-looper thread."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nrust_binder: llamar a set_notification_done() sin el bloqueo de proc\n\nConsidere la siguiente secuencia de eventos en un oyente de muerte:\n1. El proceso remoto muere y envía un mensaje BR_DEAD_BINDER.\n2. El proceso local invoca el comando BC_CLEAR_DEATH_NOTIFICATION.\n3. El proceso local luego invoca el BC_DEAD_BINDER_DONE.\nEntonces, el kernel responderá al comando BC_DEAD_BINDER_DONE con una\nrespuesta BR_CLEAR_DEATH_NOTIFICATION_DONE usando push_work_if_looper().\n\nSin embargo, esto puede resultar en un interbloqueo si el hilo actual no es un\nlooper. Esto se debe a que dead_binder_done() aún mantiene el bloqueo de proc\ndurante set_notification_done(), que llamó a push_work_if_looper().\nNormalmente, push_work_if_looper() toma el bloqueo de hilo, lo cual está bien tomar\nbajo el bloqueo de proc. Pero si el hilo actual no es un looper,\nentonces recurre a entregar la respuesta a la cola de trabajo del proceso,\nlo que implica tomar el bloqueo de proc. Dado que el bloqueo de proc ya está\nretenido, esto es un interbloqueo.\n\nSolucione esto liberando el bloqueo de proc durante set_notification_done(). No\nfue intencional que se mantuviera durante esa función para empezar.\n\nNo creo que esto ocurra nunca en Android porque BC_DEAD_BINDER_DONE\nsolo se invoca en respuesta a mensajes BR_DEAD_BINDER, y el kernel\nsiempre entrega BR_DEAD_BINDER a un looper. Así que no hay ningún escenario donde\nel espacio de usuario de Android llame a BC_DEAD_BINDER_DONE en un hilo que no sea un looper."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-667"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.1", "versionEndExcluding": "6.18.19", "matchCriteriaId": "6F718F75-20D5-4D17-B698-1D1BD5FDE294"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.9", "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCrit ... (truncated)