CVE-2026-43433

// Conceptual PoC: Demonstrating the race condition scenario. // Note: Exploitation requires a separate vulnerability to write to read-only VMA. #include <stdio.h> #include <stdlib.h> #include <string.h> // Simulated Binder Transaction Structure struct binder_transaction_data { void *target_handle; void *cookie; size_t data_size; size_t offsets_size; // The field of interest // ... other fields ... }; void trigger_race() { printf("[+] Attempting to trigger TOCTOU in rust_binder...\n"); // Step 1: Attacker prepares a transaction with a specific payload shape struct binder_transaction_data txn; txn.offsets_size = 0x100; // Initial offset size // Step 2: Kernel copies offsets to target VMA (Read-Only) printf("[*] Kernel copying offsets to Target VMA...\n"); // Step 3: Hypothetical race window where Target Process modifies VMA // (Requires another vulnerability to write to RO VMA) printf("[*] Race Window: If Target Process can write VMA, it changes offsets_size...\n"); // txn.offsets_size = 0xFFFFFFFF; // Malicious value modification // Step 4: Kernel reads back the value from VMA printf("[*] Kernel reading back offsets from VMA...\n"); // Result: Kernel misinterprets memory layout, leading to potential escalation printf("[-] Exploitation logic complete (depends on VMA write capability).\n"); } int main() { trigger_race(); return 0; }

{"cve": {"id": "CVE-2026-43433", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:55.607", "lastModified": "2026-05-11T08:16:13.830", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: avoid reading the written value in offsets array\n\nWhen sending a transaction, its offsets array is first copied into the\ntarget proc's vma, and then the values are read back from there. This is\nnormally fine because the vma is a read-only mapping, so the target\nprocess cannot change the value under us.\n\nHowever, if the target process somehow gains the ability to write to its\nown vma, it could change the offset before it's read back, causing the\nkernel to misinterpret what the sender meant. If the sender happens to\nsend a payload with a specific shape, this could in the worst case lead\nto the receiver being able to privilege escalate into the sender.\n\nThe intent is that gaining the ability to change the read-only vma of\nyour own process should not be exploitable, so remove this TOCTOU read\neven though it's unexploitable without another Binder bug."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/3672141c93b7a0c0132bf5d5021a4b7f1d663aaa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4cb9e13fec0de7c942f5f927469beb8e48ddd20f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e19afb53f7723b3bd22224f2b0c7dcfa70bb973f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}