Cyber Resilience

CVE-2026-23194

High

Published: 14 February 2026

Published
14 February 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23194 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Not Applicable risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23194 is an out-of-bounds write vulnerability (CWE-787) in the Linux kernel's rust_binder driver, located in drivers/android/binder/thread.rs. The issue arises from incorrect handling of empty FDA (file descriptor array) objects with zero file descriptors. The prior implementation treated a skip value of zero as a special indicator for pointer fixups, borrowed from the C-based Binder implementation, but zero is also the valid skip length for an empty FDA. When such an object appears at the end of a buffer, this leads to an attempt to write 8 bytes out of bounds, which the kernel catches and returns as an EINVAL error to userspace.

A local attacker with low privileges can exploit this vulnerability by sending malformed Binder IPC transactions containing an empty FDA object positioned to trigger the out-of-bounds access. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, potentially allowing kernel memory corruption, denial of service, or escalation to higher privileges despite the error handling.

The provided kernel patch commits mitigate the issue by replacing the problematic skip==0 special-case pattern with a Rust enum to distinguish pointer fixups from empty FDAs, ensuring proper handling without out-of-bounds access. Security practitioners should apply these stable kernel updates from the referenced commits: https://git.kernel.org/stable/c/598fe3ff32e43918ed8a062f55432b3d23e6340c and https://git.kernel.org/stable/c/8f589c9c3be539d6c2b393c82940c3783831082f.

Notably, the root cause was diagnosed on the first try by Gemini CLI using a targeted prompt comparing the Rust code to the correct C implementation in drivers/android/binder.c, highlighting AI's potential in kernel vulnerability triage. No real-world exploitation has been reported as of the CVE publication on 2026-02-14.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used…

more

`skip == 0` to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty FDA. If the FDA is at the end of the buffer, then this results in an attempt to write 8-bytes out of bounds. This is caught and results in an EINVAL error being returned to userspace. The pattern of using `skip == 0` as a special value originates from the C-implementation of Binder. As part of fixing this bug, this pattern is replaced with a Rust enum. I considered the alternate option of not pushing a fixup when the length is zero, but I think it's cleaner to just get rid of the zero-is-special stuff. The root cause of this bug was diagnosed by Gemini CLI on first try. I used the following prompt: > There appears to be a bug in @drivers/android/binder/thread.rs where > the Fixups oob bug is triggered with 316 304 316 324. This implies > that we somehow ended up with a fixup where buffer A has a pointer to > buffer B, but the pointer is located at an index in buffer A that is > out of bounds. Please investigate the code to find the bug. You may > compare with @drivers/android/binder.c that implements this correctly.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Not Applicable
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gemini

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel OOB write via Binder IPC directly enables privilege escalation (T1068) and system exploitation for DoS (T1499.004) from low-privileged userspace.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47640Same product: Linux Linux Kernel
CVE-2026-31505Same product: Linux Linux Kernel
CVE-2026-23323Same product: Linux Linux Kernel
CVE-2026-23422Same product: Linux Linux Kernel
CVE-2022-49645Same product: Linux Linux Kernel
CVE-2022-49722Same product: Linux Linux Kernel
CVE-2026-31698Same product: Linux Linux Kernel
CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2022-49612Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 6.18 — 6.18.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying the stable kernel patches directly resolves the out-of-bounds write in the rust_binder driver by fixing the skip==0 handling for empty FDA objects.

prevent

Validating Binder IPC transaction inputs, including FDA object lengths and positions, prevents malformed data from triggering out-of-bounds access.

prevent

Kernel memory protections such as address space layout randomization and guard pages mitigate exploitation of the out-of-bounds write even if the logic flaw is triggered.

References