CVE-2026-23194

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rust_binder: correctly handle FDA objects of length zero<br /> <br /> Fix a bug where an empty FDA (fd array) object with 0 fds would cause an<br /> out-of-bounds error. The previous implementation used `skip == 0` to<br /> mean "this is a pointer fixup", but 0 is also the correct skip length<br /> for an empty FDA. If the FDA is at the end of the buffer, then this<br /> results in an attempt to write 8-bytes out of bounds. This is caught and<br /> results in an EINVAL error being returned to userspace.<br /> <br /> The pattern of using `skip == 0` as a special value originates from the<br /> C-implementation of Binder. As part of fixing this bug, this pattern is<br /> replaced with a Rust enum.<br /> <br /> I considered the alternate option of not pushing a fixup when the length<br /> is zero, but I think it&amp;#39;s cleaner to just get rid of the zero-is-special<br /> stuff.<br /> <br /> The root cause of this bug was diagnosed by Gemini CLI on first try. I<br /> used the following prompt:<br /> <br /> &gt; There appears to be a bug in @drivers/android/binder/thread.rs where<br /> &gt; the Fixups oob bug is triggered with 316 304 316 324. This implies<br /> &gt; that we somehow ended up with a fixup where buffer A has a pointer to<br /> &gt; buffer B, but the pointer is located at an index in buffer A that is<br /> &gt; out of bounds. Please investigate the code to find the bug. You may<br /> &gt; compare with @drivers/android/binder.c that implements this correctly.