CVE-2026-43435
Description
In the Linux kernel, the following vulnerability has been resolved:
rust_binder: fix oneway spam detection
The spam detection logic in TreeRange was executed before the current request was inserted into the tree. So the new request was not being factored in the spam calculation. Fix this by moving the logic after the new range has been inserted.
Also, the detection logic for ArrayRange was missing altogether which meant large spamming transactions could get away without being detected. Fix this by implementing an equivalent low_oneway_space() in ArrayRange.
Note that I looked into centralizing this logic in RangeAllocator but iterating through 'state' and 'size' got a bit too complicated (for me) and I abandoned this effort.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel rust_binder oneway spam detection fixes apply bounds checks to TreeRange and ArrayRange, preventing undetected transaction spam attacks.
Root
Cause
The vulnerability resides in the Linux kernel's rust_binder implementation, specifically in the oneway spam detection logic for the binder transaction range allocator. In TreeRange, the spam check was executed before inserting the current request into the tree, meaning the new request was not factored into the calculation. Additionally, ArrayRange entirely lacked a low_oneway_space() equivalent, allowing large batches of oneway transactions to bypass detection entirely [1].
Exploitation
An attacker with local access and the ability to submit binder transactions could exploit this flaw by sending a high volume of oneway (asynchronous) transactions. Without proper spam detection, the binder driver may allocate excessive resources for pending oneway transactions, potentially leading to denial-of-service (DoS) conditions. The vulnerability allows the attacker to flood the system with binder transactions without being throttled [1].
Impact
Successful exploitation could enable a local unprivileged attacker to cause a denial-of-service (resource exhaustion) on the binder driver, impacting overall system stability and availability. The vulnerability is in the Android/Linux binder subsystem used heavily for inter-process communication, so critical services may become unresponsive.
Mitigation
Mitigation
A fix was applied in Linux kernel stable commit 4fc87c240b8f [1]. The patch moves the spam detection in TreeRange to after insertion and adds an equivalent low_oneway_space() check to ArrayRange. Users should apply kernel updates containing this commit, or any downstream stable release that backports it.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.