CVE-2025-68260

Name of the Vulnerable Software and Affected Versions Linux kernel versions 6.18 and later Android Binder driver (Rust implementation)

Description The first Common Vulnerabilities and Exposures (CVE) has been assigned to Rust code within the Linux kernel. The issue, identified as CVE-2025-68260, affects the Android Binder driver rewrite and is caused by a race condition in an unsafe block. This race condition can lead to memory corruption of the prev and next pointers in a linked list, potentially causing a kernel panic or system crash. The vulnerability is a result of a flaw in handling concurrency within the unsafe code, where the language's safety guarantees do not apply, and developers must manually ensure correctness. The issue occurs when threads concurrently access and modify a linked list, leading to data corruption. The vulnerability does not currently allow for remote code execution or privilege escalation, and is assessed as a Denial of Service (DoS) issue.

Recommendations For kernel maintainers, ensure upstream patches for CVE-2025-68260 are applied if shipping kernels with the Rust Binder driver enabled (CONFIG ANDROID BINDER IPC RUST).