CVE-2026-23184
Published: 14 February 2026
Summary
CVE-2026-23184 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23184 is a Use-After-Free (UAF) vulnerability in the Linux kernel's binder interprocess communication (IPC) subsystem, specifically within the binder_netlink_report() function. The issue arises during oneway transactions sent to frozen targets via binder_proc_transaction(), which return a BR_TRANSACTION_PENDING_FROZEN error but are treated as successful in anticipation of the target thawing. This leads to unsafe dereferencing of the transaction structure 't' after the error, as the transaction may be consumed by the thawed target, resulting in a slab-use-after-free as reported by KASAN.
A local attacker with low privileges can exploit this vulnerability due to its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). By triggering the flawed transaction handling in binder_netlink_report(), the attacker can achieve high-impact confidentiality, integrity, and availability violations, such as memory corruption, arbitrary code execution, or kernel crashes, through the UAF on the transaction structure.
The provided kernel patch commits resolve the issue by creating a copy of the transaction structure, ensuring safe access to its data in binder_netlink_report() even after a pending frozen error. An additional comment is added to prohibit use of t->buffer in that function. Security practitioners should apply these stable kernel updates to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5858
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF in binder_netlink_report() Oneway transactions sent to frozen targets via binder_proc_transaction() return a BR_TRANSACTION_PENDING_FROZEN error but they are still treated as successful since the target is expected to…
more
thaw at some point. It is then not safe to access 't' after BR_TRANSACTION_PENDING_FROZEN errors as the transaction could have been consumed by the now thawed target. This is the case for binder_netlink_report() which derreferences 't' after a pending frozen error, as pointed out by the following KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in binder_netlink_report.isra.0+0x694/0x6c8 Read of size 8 at addr ffff00000f98ba38 by task binder-util/522 CPU: 4 UID: 0 PID: 522 Comm: binder-util Not tainted 6.19.0-rc6-00015-gc03e9c42ae8f #1 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_netlink_report.isra.0+0x694/0x6c8 binder_transaction+0x66e4/0x79b8 binder_thread_write+0xab4/0x4440 binder_ioctl+0x1fd4/0x2940 [...] Allocated by task 522: __kmalloc_cache_noprof+0x17c/0x50c binder_transaction+0x584/0x79b8 binder_thread_write+0xab4/0x4440 binder_ioctl+0x1fd4/0x2940 [...] Freed by task 488: kfree+0x1d0/0x420 binder_free_transaction+0x150/0x234 binder_thread_read+0x2d08/0x3ce4 binder_ioctl+0x488/0x2940 [...] ================================================================== Instead, make a transaction copy so the data can be safely accessed by binder_netlink_report() after a pending frozen error. While here, add a comment about not using t->buffer in binder_netlink_report().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in binder IPC directly enables privilege escalation via memory corruption and arbitrary code execution from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the UAF vulnerability by requiring identification, reporting, and timely patching of the Linux kernel flaw in binder_netlink_report().
Implements memory protections such as kernel address space layout randomization and supervisor mode access prevention to mitigate exploitation of the freed transaction structure 't'.
Scans the Linux kernel for known vulnerabilities like CVE-2026-23184 to identify systems requiring remediation.