HOMEVULNERABILITIESCVE-2026-43434
HIGH

CVE-2026-43434

Published: May 8, 2026· Updated: May 12, 2026

7.8
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:1.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: check ownership before using vma

When installing missing pages (or zapping them), Rust Binder will look

up the vma in the mm by address, and then call vm_insert_page (or

zap_page_range_single). However, if the vma is closed and replaced with

a different vma at the same address, this can lead to Rust Binder

installing pages into the wrong vma.

By installing the page into a writable vma, it becomes possible to write

to your own binder pages, which are normally read-only. Although you're

not supposed to be able to write to those pages, the intent behind the

design of Rust Binder is that even if you get that ability, it should not

lead to anything bad. Unfortunately, due to another bug, that is not the

case.

To fix this, store a pointer in vm_private_data and check that the vma

returned by vma_lookup() has the right vm_ops and vm_private_data before

trying to use the vma. This should ensure that Rust Binder will refuse

to interact with any other VMA. The plan is to introduce more vma

abstractions to avoid this unsafe access to vm_ops and vm_private_data,

but for now let's start with the simplest possible fix.

C Binder performs the same check in a slightly different way: it

provides a vm_ops->close that sets a boolean to true, then checks that

boolean after calling vma_lookup(), but this is more fragile

than the solution in this patch. (We probably still want to do both, but

the vm_ops->close callback will be added later as part of the follow-up

vma API changes.)

It's still possible to remap the vma so that pages appear in the right

vma, but at the wrong offset, but this is a separate issue and will be

fixed when Rust Binder gets a vm_ops->close callback.

NVD Source

Technical Analysis

CVE-2026-43434 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
LinuxRust
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-43434
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.01%
PublishedMay 8, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43434 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.