{"id":"CVE-2025-68260","summary":"rust_binder: fix race condition on death_list","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: fix race condition on death_list\n\nRust Binder contains the following unsafe operation:\n\n\t// SAFETY: A `NodeDeath` is never inserted into the death list\n\t// of any node other than its owner, so it is either in this\n\t// death list or in no death list.\n\tunsafe { node_inner.death_list.remove(self) };\n\nThis operation is unsafe because when touching the prev/next pointers of\na list element, we have to ensure that no other thread is also touching\nthem in parallel. If the node is present in the list that `remove` is\ncalled on, then that is fine because we have exclusive access to that\nlist. If the node is not in any list, then it's also ok. But if it's\npresent in a different list that may be accessed in parallel, then that\nmay be a data race on the prev/next pointers.\n\nAnd unfortunately that is exactly what is happening here. In\nNode::release, we:\n\n 1. Take the lock.\n 2. Move all items to a local list on the stack.\n 3. Drop the lock.\n 4. Iterate the local list on the stack.\n\nCombined with threads using the unsafe remove method on the original\nlist, this leads to memory corruption of the prev/next pointers. This\nleads to crashes like this one:\n\n\tUnable to handle kernel paging request at virtual address 000bb9841bcac70e\n\tMem abort info:\n\t  ESR = 0x0000000096000044\n\t  EC = 0x25: DABT (current EL), IL = 32 bits\n\t  SET = 0, FnV = 0\n\t  EA = 0, S1PTW = 0\n\t  FSC = 0x04: level 0 translation fault\n\tData abort info:\n\t  ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000\n\t  CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n\t  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\t[000bb9841bcac70e] address between user and kernel address ranges\n\tInternal error: Oops: 0000000096000044 [#1] PREEMPT SMP\n\tgoogle-cdd 538c004.gcdd: context saved(CPU:1)\n\titem - log_kevents is disabled\n\tModules linked in: ... rust_binder\n\tCPU: 1 UID: 0 PID: 2092 Comm: kworker/1:178 Tainted: G S      W  OE      6.12.52-android16-5-g98debd5df505-4k #1 f94a6367396c5488d635708e43ee0c888d230b0b\n\tTainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n\tHardware name: MUSTANG PVT 1.0 based on LGA (DT)\n\tWorkqueue: events _RNvXs6_NtCsdfZWD8DztAw_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCs8QPsHWIn21X_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_ [rust_binder]\n\tpstate: 23400005 (nzCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n\tpc : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder]\n\tlr : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x464/0x11f8 [rust_binder]\n\tsp : ffffffc09b433ac0\n\tx29: ffffffc09b433d30 x28: ffffff8821690000 x27: ffffffd40cbaa448\n\tx26: ffffff8821690000 x25: 00000000ffffffff x24: ffffff88d0376578\n\tx23: 0000000000000001 x22: ffffffc09b433c78 x21: ffffff88e8f9bf40\n\tx20: ffffff88e8f9bf40 x19: ffffff882692b000 x18: ffffffd40f10bf00\n\tx17: 00000000c006287d x16: 00000000c006287d x15: 00000000000003b0\n\tx14: 0000000000000100 x13: 000000201cb79ae0 x12: fffffffffffffff0\n\tx11: 0000000000000000 x10: 0000000000000001 x9 : 0000000000000000\n\tx8 : b80bb9841bcac706 x7 : 0000000000000001 x6 : fffffffebee63f30\n\tx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\n\tx2 : 0000000000004c31 x1 : ffffff88216900c0 x0 : ffffff88e8f9bf00\n\tCall trace:\n\t _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder bbc172b53665bbc815363b22e97e3f7e3fe971fc]\n\t process_scheduled_works+0x1c4/0x45c\n\t worker_thread+0x32c/0x3e8\n\t kthread+0x11c/0x1c8\n\t ret_from_fork+0x10/0x20\n\tCode: 94218d85 b4000155 a94026a8 d10102a0 (f9000509)\n\t---[ end trace 0000000000000000 ]---\n\nThus, modify Node::release to pop items directly off the original list.","modified":"2026-03-20T12:46:20.132271Z","published":"2025-12-16T14:45:02.499Z","related":["openSUSE-SU-2025:15836-1","openSUSE-SU-2026:10301-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68260.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3428831264096d32f830a7fcfc7885dd263e511a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3e0ae02ba831da2b707905f4e602e43f8507b8cc"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68260.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68260"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"eafedbc7c050c44744fbdf80bdf3315e860b7513"},{"fixed":"3428831264096d32f830a7fcfc7885dd263e511a"},{"fixed":"3e0ae02ba831da2b707905f4e602e43f8507b8cc"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68260.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.18.0"},{"fixed":"6.18.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68260.json"}}],"schema_version":"1.7.5"}