Linux Kernel Binder Subsystem Use-After-Free Vulnerability in Device Management

A use-after-free vulnerability has been identified in the Linux kernel's binder subsystem, specifically in the management of binder devices. This issue arises because devices can be released without being properly removed from the binder_devices list, leading to a use-after-free condition. The vulnerability was introduced in version 6.15.0-rc7 and has been addressed in the official Linux Git repository. The flaw allows for memory corruption, as freed memory can be overwritten, potentially leading to arbitrary code execution or other malicious outcomes.

Impact

Exploitation of this vulnerability causes a use-after-free condition, allowing for memory corruption. This could be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a binder device and then releasing it without removing it from the binder_devices list. This can be done by using the binder_ctl_ioctl function to create a device, and then freeing it through the binder_proc_dec_tmpref function, which does not properly remove the device from the list first.

Remediation

Users should upgrade to the latest stable version of the Linux kernel where this vulnerability has been fixed.