CVE-2025-40028
Description
In the Linux kernel, the following vulnerability has been resolved:
binder: fix double-free in dbitmap
A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap via dbitmap_free(). However, the driver calls dbitmap_free() again when the same process terminates, leading to a double-free error:
================================================================== BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c Free of addr ffff00000b7c1420 by task kworker/9:1/209
CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: kfree+0x164/0x31c binder_proc_dec_tmpref+0x2e0/0x55c binder_deferred_func+0xc24/0x1120 process_one_work+0x520/0xba4 [...]
Allocated by task 448: __kmalloc_noprof+0x178/0x3c0 bitmap_zalloc+0x24/0x30 binder_open+0x14c/0xc10 [...]
Freed by task 449: kfree+0x184/0x31c binder_inc_ref_for_node+0xb44/0xe44 binder_transaction+0x29b4/0x7fbc binder_thread_write+0x1708/0x442c binder_ioctl+0x1b50/0x2900 [...] ==================================================================
Fix this issue by marking proc->map NULL in dbitmap_free().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Double-free vulnerability in Linux kernel binder driver: dbitmap_free() does not nullify proc->map, enabling a second free on process termination after a failed bitmap expansion.
Root
Cause
A double-free vulnerability exists in the Linux kernel's binder driver within the dbitmap memory management code. When a process attempts to expand its proc->dmap via dbitmap_grow(), a memory allocation failure causes the old bitmap to be freed through dbitmap_free(). However, the function does not set proc->map to NULL after freeing the bitmap, leaving a dangling pointer. Later, when the process terminates, binder_proc_dec_tmpref() calls dbitmap_free() again on the same pointer, resulting in a double-free that is detected by KASAN [1],[2].
Exploitation
Context
The vulnerability can be triggered by a local user who opens a binder device and performs binder transactions that cause the process's bitmap to be expanded. If the expansion fails (e.g., due to memory pressure), the dangling pointer remains. Upon process exit, the deferred workqueue (binder_deferred_func) invokes the cleanup path that frees the already-freed bitmap, leading to a kernel memory corruption [1].
Impact
A double-free in kernel memory can corrupt the kernel heap, potentially leading to a denial-of-service (system crash) or, in some cases, privilege escalation if an attacker can manipulate the freed memory to achieve code execution. The KASAN report clearly shows the double-free occurring during process termination [1].
Mitigation
The fix, included in stable kernel commits, ensures that dbitmap_free() sets proc->map to NULL after freeing the bitmap, preventing a second free on the same pointer. Users should update to a kernel version containing the fix, or apply the relevant patch [1],[2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
4c301ec61ce6f039063397996b781e5635a333ebcd3460cadVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.