{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43435", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:56.009Z", "datePublished": "2026-05-08T14:22:05.921Z", "dateUpdated": "2026-05-08T14:22:05.921Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-08T14:22:05.921Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: fix oneway spam detection\n\nThe spam detection logic in TreeRange was executed before the current\nrequest was inserted into the tree. So the new request was not being\nfactored in the spam calculation. Fix this by moving the logic after\nthe new range has been inserted.\n\nAlso, the detection logic for ArrayRange was missing altogether which\nmeant large spamming transactions could get away without being detected.\nFix this by implementing an equivalent low_oneway_space() in ArrayRange.\n\nNote that I looked into centralizing this logic in RangeAllocator but\niterating through 'state' and 'size' got a bit too complicated (for me)\nand I abandoned this effort."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/android/binder/range_alloc/array.rs", "drivers/android/binder/range_alloc/mod.rs", "drivers/android/binder/range_alloc/tree.rs"], "versions": [{"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513", "lessThan": "edf685946c4acbe57cb96f8d5f3c07e9a2e973c8", "status": "affected", "versionType": "git"}, {"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513", "lessThan": "8d34c993a9a156e657e43cb95186980745cc3597", "status": "affected", "versionType": "git"}, {"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513", "lessThan": "4fc87c240b8f30e22b7ebaae29d57105589e1c0b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/android/binder/range_alloc/array.rs", "drivers/android/binder/range_alloc/mod.rs", "drivers/android/binder/range_alloc/tree.rs"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/edf685946c4acbe57cb96f8d5f3c07e9a2e973c8"}, {"url": "https://git.kernel.org/stable/c/8d34c993a9a156e657e43cb95186980745cc3597"}, {"url": "https://git.kernel.org/stable/c/4fc87c240b8f30e22b7ebaae29d57105589e1c0b"}], "title": "rust_binder: fix oneway spam detection", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: fix oneway spam detection\n\nThe spam detection logic in TreeRange was executed before the current\nrequest was inserted into the tree. So the new request was not being\nfactored in the spam calculation. Fix this by moving the logic after\nthe new range has been inserted.\n\nAlso, the detection logic for ArrayRange was missing altogether which\nmeant large spamming transactions could get away without being detected.\nFix this by implementing an equivalent low_oneway_space() in ArrayRange.\n\nNote that I looked into centralizing this logic in RangeAllocator but\niterating through 'state' and 'size' got a bit too complicated (for me)\nand I abandoned this effort."}], "id": "CVE-2026-43435", "lastModified": "2026-05-08T15:16:55.827", "metrics": {}, "published": "2026-05-08T15:16:55.827", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4fc87c240b8f30e22b7ebaae29d57105589e1c0b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8d34c993a9a156e657e43cb95186980745cc3597"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/edf685946c4acbe57cb96f8d5f3c07e9a2e973c8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}