CVE-2026-43435 Overview
CVE-2026-43435 is a Linux kernel vulnerability in the rust_binder driver. The flaw affects oneway spam detection logic used to prevent malicious processes from flooding the binder IPC subsystem with asynchronous transactions. The spam detection in TreeRange ran before the current request was inserted into the tree, so the new request was excluded from spam calculations. The detection logic was also entirely missing from ArrayRange, allowing large spamming transactions to bypass the throttle.
Critical Impact
Unprivileged local processes can issue large volumes of oneway binder transactions without triggering spam protection, enabling resource exhaustion against binder-dependent services.
Affected Products
- Linux kernel versions including the rust_binder driver prior to the upstream fix
- Distributions shipping the Rust binder implementation
- Android-derived systems integrating the Rust binder driver
Discovery Timeline
- 2026-05-08 - CVE-2026-43435 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43435
Vulnerability Analysis
The rust_binder driver implements oneway (asynchronous) IPC transactions on Android-style binder infrastructure. To prevent abuse, the binder enforces a low_oneway_space() check that rejects new transactions when a target process is running low on async buffer space.
In the affected code, the TreeRange allocator evaluated this spam condition before inserting the new range into its tree. The size of the in-flight request was therefore omitted from the threshold calculation. A caller could submit transactions just under the limit each time and never trigger detection.
The ArrayRange allocator lacked an equivalent low_oneway_space() implementation entirely. Workloads using array-backed allocation could send unbounded oneway traffic with no spam check at all.
Root Cause
The root cause is a logic ordering bug combined with missing functionality. TreeRange performed its check against pre-insertion state rather than the post-insertion tree. ArrayRange had no spam accounting path, leaving a parallel allocation strategy unprotected. Centralizing the logic in RangeAllocator was considered but not pursued due to iteration complexity across state and size.
Attack Vector
A local unprivileged process with access to the binder device can issue crafted oneway transactions targeting a victim service. By keeping each individual transaction under the unchecked threshold, the attacker accumulates buffer pressure in the target without triggering rejection. The result is denial of service against binder-mediated services, including potential exhaustion of async transaction memory.
No synthetic exploit code is published with the advisory. The fix moves the spam check after range insertion in TreeRange and adds an equivalent low_oneway_space() implementation in ArrayRange. See the upstream commits 4fc87c2, 8d34c99, and edf6859 for the patch details.
Detection Methods for CVE-2026-43435
Indicators of Compromise
- Sustained high-rate oneway binder transactions from a single unprivileged process to a target service
- Growth in binder async transaction buffer usage without corresponding rejection events
- Service-side latency or unresponsiveness in binder-backed daemons without crash signatures
Detection Strategies
- Instrument binder transaction counters per UID and alert on anomalous oneway transaction rates
- Monitor kernel logs for binder buffer pressure messages on affected hosts
- Compare running kernel commit hashes against the fixed commits 4fc87c2, 8d34c99, and edf6859
Monitoring Recommendations
- Track per-process binder activity using binder_stats debug interfaces where available
- Establish baselines for oneway transaction volume on production Android or binder-enabled Linux hosts
- Correlate process behavior with service degradation events using a centralized log pipeline
How to Mitigate CVE-2026-43435
Immediate Actions Required
- Inventory hosts running kernels with the rust_binder driver enabled
- Apply the upstream kernel patches referenced in the advisory and reboot affected systems
- Restrict access to the binder device node to trusted UIDs where feasible
Patch Information
The fix is delivered through three upstream stable kernel commits: 4fc87c2, 8d34c99, and edf6859. The patches move the TreeRange spam check to after range insertion and implement low_oneway_space() in ArrayRange. Distribution maintainers should backport these commits to long-term support kernels carrying the Rust binder driver.
Workarounds
- Disable the rust_binder driver where it is not required for production workloads
- Apply mandatory access control policies such as SELinux to restrict which processes can open binder devices
- Rate-limit untrusted workloads at the container or cgroup boundary to constrain binder transaction volume
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
