CVE-2026-43433

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rust_binder: avoid reading the written value in offsets array<br /> <br /> When sending a transaction, its offsets array is first copied into the<br /> target proc&amp;#39;s vma, and then the values are read back from there. This is<br /> normally fine because the vma is a read-only mapping, so the target<br /> process cannot change the value under us.<br /> <br /> However, if the target process somehow gains the ability to write to its<br /> own vma, it could change the offset before it&amp;#39;s read back, causing the<br /> kernel to misinterpret what the sender meant. If the sender happens to<br /> send a payload with a specific shape, this could in the worst case lead<br /> to the receiver being able to privilege escalate into the sender.<br /> <br /> The intent is that gaining the ability to change the read-only vma of<br /> your own process should not be exploitable, so remove this TOCTOU read<br /> even though it&amp;#39;s unexploitable without another Binder bug.