CVE-2026-23400 Overview
A deadlock vulnerability has been identified in the Linux kernel's Rust binder implementation (rust_binder). The flaw occurs in the death notification handling mechanism where improper lock management during set_notification_done() can cause the kernel to enter a deadlock state when processing BC_DEAD_BINDER_DONE commands on non-looper threads.
Critical Impact
This vulnerability can cause kernel deadlock conditions, resulting in system unresponsiveness and potential denial of service on affected Linux systems running the Rust binder implementation.
Affected Products
- Linux kernel with rust_binder enabled
- Systems using the Rust-based binder implementation for IPC
Discovery Timeline
- 2026-03-29 - CVE CVE-2026-23400 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-23400
Vulnerability Analysis
The vulnerability exists in the Linux kernel's Rust binder subsystem, specifically in the handling of death notifications between processes. The deadlock condition arises from a specific sequence of events involving the process lock (proc lock) and thread lock synchronization.
When a death listener experiences the following sequence: (1) a remote process dies and sends a BR_DEAD_BINDER message, (2) the local process invokes BC_CLEAR_DEATH_NOTIFICATION, and (3) the local process invokes BC_DEAD_BINDER_DONE, the kernel responds with a BR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().
The critical issue occurs when the current thread is not a looper. The dead_binder_done() function continues to hold the proc lock while calling set_notification_done(), which in turn invokes push_work_if_looper(). Under normal circumstances, push_work_if_looper() takes the thread lock, which can be safely acquired while holding the proc lock. However, when the current thread is not a looper, the function falls back to delivering the reply to the process work queue, which requires acquiring the proc lock. Since the proc lock is already held, this creates a classic deadlock scenario.
Root Cause
The root cause is improper lock scope management in the dead_binder_done() function. The proc lock was being held during the call to set_notification_done() when it was not intentionally required. This design oversight creates a lock ordering violation when the fallback path to the process work queue is taken, as it attempts to acquire the same lock that is already held by the calling thread.
Attack Vector
The vulnerability can be triggered through local IPC operations on systems using the Rust binder implementation. An attacker or malfunctioning process could potentially exploit this by manipulating death notification sequences on non-looper threads, causing the kernel to enter a deadlock state.
The fix involves releasing the proc lock before calling set_notification_done(). This ensures that when the fallback path requires the proc lock for the process work queue, it can be safely acquired without causing a deadlock.
Detection Methods for CVE-2026-23400
Indicators of Compromise
- System hangs or unresponsiveness during IPC operations involving binder
- Kernel threads stuck in waiting state with proc lock held
- Deadlock warnings in kernel logs related to binder operations
- Increased system load with no corresponding CPU activity (lock contention)
Detection Strategies
- Monitor kernel logs for deadlock detection warnings related to rust_binder or binder subsystem
- Check for hung tasks with hung_task_timeout_secs kernel parameter
- Use kernel lockdep to detect potential lock ordering violations
- Monitor binder transaction logs for BC_DEAD_BINDER_DONE processing anomalies
Monitoring Recommendations
- Enable lockdep debugging on development/test systems to catch lock ordering issues
- Configure kernel deadlock detection and reporting mechanisms
- Monitor system responsiveness metrics for IPC-heavy applications
- Implement alerting for kernel hung task warnings
How to Mitigate CVE-2026-23400
Immediate Actions Required
- Apply the kernel patches addressing the lock scope issue in dead_binder_done()
- Update to a patched Linux kernel version
- Consider disabling rust_binder if not required until patched
- Monitor systems for signs of deadlock conditions
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix modifies the dead_binder_done() function to release the proc lock before calling set_notification_done(), preventing the deadlock condition.
Relevant kernel commits are available:
Workarounds
- Ensure binder operations use looper threads exclusively (consistent with Android userspace behavior)
- Avoid invoking BC_DEAD_BINDER_DONE on non-looper threads
- Implement timeout mechanisms for IPC operations to detect deadlock conditions
- Consider kernel watchdog configurations to auto-recover from deadlock states
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
