CVE-2025-68260

Name of the Vulnerable Software and Affected Versions Linux kernel versions 6.18 and later Android Binder driver (Rust implementation) (affected versions not specified)

Description The first Common Vulnerabilities and Exposures (CVE) has been assigned to Rust code within the Linux kernel. The issue, identified as CVE-2025-68260, affects the Rust-based Android Binder driver and is a race condition occurring within

unsafe

Rust code. This race condition can lead to memory corruption of

next

and

prev

pointers in a linked list, potentially causing a kernel panic or system crash. The issue arises from incorrect assumptions about concurrency within an

unsafe

block, specifically related to handling list insertions and removals. The

unsafe

code assumed that a node was either in the list or in no list, but concurrent threads could violate this assumption, leading to data corruption. The vulnerability does not currently appear to allow for Remote Code Execution (RCE) or privilege escalation, and is classified as a Denial of Service (DoS). The issue was resolved by processing elements directly from the original list while holding a lock, avoiding the race condition.

Recommendations For kernel maintainers shipping kernels with the Rust Binder driver enabled (CONFIG ANDROID BINDER IPC RUST), ensure upstream patches for CVE-2025-68260 are applied.