CVE-2026-23400

{"id": "CVE-2026-23400", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-03-29T13:16:58.920", "references": [{"url": "https://git.kernel.org/stable/c/2e303f0febb65a434040774b793ba8356698802b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3be72099067d2cd4a0e089696f19780f75b2b88a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dd109e3442817bc03ad1f3ffd541092f8c428141", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: call set_notification_done() without proc lock\n\nConsider the following sequence of events on a death listener:\n1. The remote process dies and sends a BR_DEAD_BINDER message.\n2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.\n3. The local process then invokes the BC_DEAD_BINDER_DONE.\nThen, the kernel will reply to the BC_DEAD_BINDER_DONE command with a\nBR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().\n\nHowever, this can result in a deadlock if the current thread is not a\nlooper. This is because dead_binder_done() still holds the proc lock\nduring set_notification_done(), which called push_work_if_looper().\nNormally, push_work_if_looper() takes the thread lock, which is fine to\ntake under the proc lock. But if the current thread is not a looper,\nthen it falls back to delivering the reply to the process work queue,\nwhich involves taking the proc lock. Since the proc lock is already\nheld, this is a deadlock.\n\nFix this by releasing the proc lock during set_notification_done(). It\nwas not intentional that it was held during that function to begin with.\n\nI don't think this ever happens in Android because BC_DEAD_BINDER_DONE\nis only invoked in response to BR_DEAD_BINDER messages, and the kernel\nalways delivers BR_DEAD_BINDER to a looper. So there's no scenario where\nAndroid userspace will call BC_DEAD_BINDER_DONE on a non-looper thread."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nrust_binder: llamar a set_notification_done() sin el bloqueo de proc\n\nConsidere la siguiente secuencia de eventos en un oyente de muerte:\n1. El proceso remoto muere y env\u00eda un mensaje BR_DEAD_BINDER.\n2. El proceso local invoca el comando BC_CLEAR_DEATH_NOTIFICATION.\n3. El proceso local luego invoca el BC_DEAD_BINDER_DONE.\nEntonces, el kernel responder\u00e1 al comando BC_DEAD_BINDER_DONE con una\nrespuesta BR_CLEAR_DEATH_NOTIFICATION_DONE usando push_work_if_looper().\n\nSin embargo, esto puede resultar en un interbloqueo si el hilo actual no es un\nlooper. Esto se debe a que dead_binder_done() a\u00fan mantiene el bloqueo de proc\ndurante set_notification_done(), que llam\u00f3 a push_work_if_looper().\nNormalmente, push_work_if_looper() toma el bloqueo de hilo, lo cual est\u00e1 bien tomar\nbajo el bloqueo de proc. Pero si el hilo actual no es un looper,\nentonces recurre a entregar la respuesta a la cola de trabajo del proceso,\nlo que implica tomar el bloqueo de proc. Dado que el bloqueo de proc ya est\u00e1\nretenido, esto es un interbloqueo.\n\nSolucione esto liberando el bloqueo de proc durante set_notification_done(). No\nfue intencional que se mantuviera durante esa funci\u00f3n para empezar.\n\nNo creo que esto ocurra nunca en Android porque BC_DEAD_BINDER_DONE\nsolo se invoca en respuesta a mensajes BR_DEAD_BINDER, y el kernel\nsiempre entrega BR_DEAD_BINDER a un looper. As\u00ed que no hay ning\u00fan escenario donde\nel espacio de usuario de Android llame a BC_DEAD_BINDER_DONE en un hilo que no sea un looper."}], "lastModified": "2026-04-24T15:17:32.797", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F718F75-20D5-4D17-B698-1D1BD5FDE294", "versionEndExcluding": "6.18.19", "versionStartIncluding": "6.18.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9", "versionEndExcluding": "6.19.9", "versionStartIncluding": "6.19"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}