CVE-2025-38175
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38175
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38175.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-38175
- Downstream
- Published
- 2025-07-04T10:39:56Z
- Modified
- 2025-10-22T12:28:04.766862Z
- Summary
- binder: fix yet another UAF in binder_devices
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
binder: fix yet another UAF in binder_devices
Commit e77aff5528a18 ("binderfs: fix use-after-free in binderdevices") addressed a use-after-free where devices could be released without first being removed from the binderdevices list. However, there is a similar path in binderfreeproc() that was missed:
================================================================== BUG: KASAN: slab-use-after-free in binderremovedevice+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binderremovedevice+0xd4/0x100 binderfsevictinode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentryunlinkinode+0x208/0x46c _dentrykill+0x154/0x530 [...]
Allocated by task 463: _kmalloccachenoprof+0x13c/0x324 binderfsbinderdevicecreate.isra.0+0x138/0xa60 binderctlioctl+0x1ac/0x230 [...]
Freed by task 215: kfree+0x184/0x31c binderprocdectmpref+0x33c/0x4ac binderdeferredfunc+0xc10/0x1108 processone_work+0x520/0xba4 [...] ==================================================================
Call binderremovedevice() within binderfreeproc() to ensure the device is removed from the binder_devices list before being kfreed.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced12d909cac1e1c4147cc3417fee804ee12fc6b984Fixed4a7694f499cae5b83412c5281bf2c961f34f2ed6
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced12d909cac1e1c4147cc3417fee804ee12fc6b984Fixed72a726fb5f25fbb31d6060acfb671c1955831245
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced12d909cac1e1c4147cc3417fee804ee12fc6b984Fixed9857af0fcff385c75433f2162c30c62eb912ef6d
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9857af0fcff385c75433f2162c30c62eb912ef6d",
"target": {
"file": "drivers/android/binder.c"
},
"digest": {
"line_hashes": [
"134152819784124310863192464914285987559",
"42993776665822737602429501201899198157",
"241125481736749023284307586980937264008",
"121612136222915372148089281876657488950"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2025-38175-166d5501",
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a7694f499cae5b83412c5281bf2c961f34f2ed6",
"target": {
"file": "drivers/android/binder.c"
},
"digest": {
"line_hashes": [
"134152819784124310863192464914285987559",
"42993776665822737602429501201899198157",
"241125481736749023284307586980937264008",
"121612136222915372148089281876657488950"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2025-38175-406bee46",
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72a726fb5f25fbb31d6060acfb671c1955831245",
"target": {
"file": "drivers/android/binder.c"
},
"digest": {
"line_hashes": [
"134152819784124310863192464914285987559",
"42993776665822737602429501201899198157",
"241125481736749023284307586980937264008",
"121612136222915372148089281876657488950"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2025-38175-4107f9a0",
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a7694f499cae5b83412c5281bf2c961f34f2ed6",
"target": {
"function": "binder_free_proc",
"file": "drivers/android/binder.c"
},
"digest": {
"function_hash": "51924594226598773162897995045918252197",
"length": 615.0
},
"deprecated": false,
"id": "CVE-2025-38175-73eabf94",
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9857af0fcff385c75433f2162c30c62eb912ef6d",
"target": {
"function": "binder_free_proc",
"file": "drivers/android/binder.c"
},
"digest": {
"function_hash": "51924594226598773162897995045918252197",
"length": 615.0
},
"deprecated": false,
"id": "CVE-2025-38175-95bd090e",
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72a726fb5f25fbb31d6060acfb671c1955831245",
"target": {
"function": "binder_free_proc",
"file": "drivers/android/binder.c"
},
"digest": {
"function_hash": "51924594226598773162897995045918252197",
"length": 615.0
},
"deprecated": false,
"id": "CVE-2025-38175-b819410f",
"signature_version": "v1",
"signature_type": "Function"
}
]