CVE-2025-38176

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38176
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38176.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38176
Downstream
Published
2025-07-04T10:39:57.229Z
Modified
2025-11-20T09:16:18.901958Z
Summary
binder: fix use-after-free in binderfs_evict_inode()
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix use-after-free in binderfsevictinode()

Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following:

BUG: KASAN: slab-use-after-free in binderfsevictinode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699

CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x1c2/0x2a0 ? pfxdumpstacklvl+0x10/0x10 ? _pfxprintk+0x10/0x10 ? _pfxlockrelease+0x10/0x10 ? _virtaddrvalid+0x18c/0x540 ? _virtaddrvalid+0x469/0x540 printreport+0x155/0x840 ? _virtaddrvalid+0x18c/0x540 ? _virtaddrvalid+0x469/0x540 ? _physaddr+0xba/0x170 ? binderfsevictinode+0x1de/0x2d0 kasanreport+0x147/0x180 ? binderfsevictinode+0x1de/0x2d0 binderfsevictinode+0x1de/0x2d0 ? _pfxbinderfsevictinode+0x10/0x10 evict+0x524/0x9f0 ? _pfxlockrelease+0x10/0x10 ? _pfxevict+0x10/0x10 ? dorawspinunlock+0x4d/0x210 ? _rawspinunlock+0x28/0x50 ? iput+0x697/0x9b0 _dentrykill+0x209/0x660 ? shrinkkill+0x8d/0x2c0 shrinkkill+0xa9/0x2c0 shrinkdentrylist+0x2e0/0x5e0 shrinkdcacheparent+0xa2/0x2c0 ? _pfxshrinkdcacheparent+0x10/0x10 ? _pfxlockrelease+0x10/0x10 ? _pfxdorawspinlock+0x10/0x10 doonetree+0x23/0xe0 shrinkdcacheforumount+0xa0/0x170 genericshutdownsuper+0x67/0x390 killlittersuper+0x76/0xb0 binderfskillsuper+0x44/0x90 deactivatelockedsuper+0xb9/0x130 cleanupmnt+0x422/0x4c0 ? lockdephardirqson+0x9d/0x150 taskworkrun+0x1d2/0x260 ? _pfxtaskworkrun+0x10/0x10 resumeusermodework+0x52/0x60 syscallexittousermode+0x9a/0x120 dosyscall64+0x103/0x210 ? asmsysvecapictimerinterrupt+0x1a/0x20 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0xcac57b Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850 RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718 R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830 </TASK>

Allocated by task 1705: kasansavetrack+0x3e/0x80 _kasankmalloc+0x8f/0xa0 _kmalloccachenoprof+0x213/0x3e0 binderfsbinderdevicecreate+0x183/0xa80 binderctlioctl+0x138/0x190 _x64sysioctl+0x120/0x1b0 dosyscall64+0xf6/0x210 entrySYSCALL64after_hwframe+0x77/0x7f

Freed by task 1705: kasansavetrack+0x3e/0x80 kasansavefreeinfo+0x46/0x50 _kasanslabfree+0x62/0x70 kfree+0x194/0x440 evict+0x524/0x9f0 dounlinkat+0x390/0x5b0 _x64sysunlink+0x47/0x50 dosyscall64+0xf6/0x210 entrySYSCALL64afterhwframe+0x77/0x7f

This 'stress-ng' workload causes the concurrent deletions from 'binder_devices' and so requires full-featured synchronization to prevent list corruption.

I've found this issue independently but pretty sure that syzbot did the same, so Reported-by: and Closes: should be applicable here as well.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e77aff5528a183462714f750e45add6cc71e276a
Fixed
80ed8ab8efa0d18c03968a2321154f10e2d1a2e3
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e77aff5528a183462714f750e45add6cc71e276a
Fixed
aea61a1a77613d4184d7ebe7c1d7cb606458b43b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e77aff5528a183462714f750e45add6cc71e276a
Fixed
8c0a559825281764061a127632e5ad273f0466ad

Affected versions

v6.*

v6.14
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.10
v6.14.2
v6.14.3
v6.14.4
v6.14.5
v6.14.6
v6.14.7
v6.14.8
v6.14.9
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1

Database specific

vanir_signatures

[
    {
        "id": "CVE-2025-38176-051cbb64",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "114645503374662118233420712313235476286",
                "120319955285937332925514446608632249693",
                "226361326135046293550330137668654808168",
                "196372149939075424122481289198635973207",
                "107801607440907517503095291831518183612",
                "316764325579087943943567795756282758784",
                "234830520497851076096726139847893131925",
                "230388860707834025823315457741482892796",
                "166396555313345579889921339375543637213",
                "176911473878088479485012300221619557319",
                "305710375935704133528360428042557295466",
                "38904834407094168587480914091152368185",
                "100564423657901171208939911921234354564",
                "294914725710456615226753012398078414384",
                "154723048658404755058128386454151014765",
                "307366487878335749292311196618932040199",
                "324372616330031013511049319249353369588"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@80ed8ab8efa0d18c03968a2321154f10e2d1a2e3",
        "target": {
            "file": "drivers/android/binder.c"
        }
    },
    {
        "id": "CVE-2025-38176-19aa6741",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "121653710167998391062604893388563627515",
                "311042695128883065678435978487373091430",
                "335055429017793763937790321469311729359",
                "55669058657084018424703270257411748028"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aea61a1a77613d4184d7ebe7c1d7cb606458b43b",
        "target": {
            "file": "drivers/android/binderfs.c"
        }
    },
    {
        "id": "CVE-2025-38176-3dd6caf1",
        "signature_version": "v1",
        "digest": {
            "function_hash": "110863635832872269905489005389576196562",
            "length": 87.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aea61a1a77613d4184d7ebe7c1d7cb606458b43b",
        "target": {
            "file": "drivers/android/binder.c",
            "function": "binder_add_device"
        }
    },
    {
        "id": "CVE-2025-38176-49c06700",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "114645503374662118233420712313235476286",
                "120319955285937332925514446608632249693",
                "226361326135046293550330137668654808168",
                "196372149939075424122481289198635973207",
                "107801607440907517503095291831518183612",
                "316764325579087943943567795756282758784",
                "234830520497851076096726139847893131925",
                "230388860707834025823315457741482892796",
                "166396555313345579889921339375543637213",
                "176911473878088479485012300221619557319",
                "305710375935704133528360428042557295466",
                "38904834407094168587480914091152368185",
                "100564423657901171208939911921234354564",
                "294914725710456615226753012398078414384",
                "154723048658404755058128386454151014765",
                "307366487878335749292311196618932040199",
                "324372616330031013511049319249353369588"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aea61a1a77613d4184d7ebe7c1d7cb606458b43b",
        "target": {
            "file": "drivers/android/binder.c"
        }
    },
    {
        "id": "CVE-2025-38176-72d192aa",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "253047366376412240523884290563236881522",
                "188699875395899283065053863930815751256"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@80ed8ab8efa0d18c03968a2321154f10e2d1a2e3",
        "target": {
            "file": "drivers/android/binder_internal.h"
        }
    },
    {
        "id": "CVE-2025-38176-7c59dbb4",
        "signature_version": "v1",
        "digest": {
            "function_hash": "146481541112807373127802835829083605915",
            "length": 482.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@80ed8ab8efa0d18c03968a2321154f10e2d1a2e3",
        "target": {
            "file": "drivers/android/binderfs.c",
            "function": "binderfs_evict_inode"
        }
    },
    {
        "id": "CVE-2025-38176-8ec2547b",
        "signature_version": "v1",
        "digest": {
            "function_hash": "44819571202962029830292265672046346574",
            "length": 604.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aea61a1a77613d4184d7ebe7c1d7cb606458b43b",
        "target": {
            "file": "drivers/android/binder.c",
            "function": "init_binder_device"
        }
    },
    {
        "id": "CVE-2025-38176-9565817d",
        "signature_version": "v1",
        "digest": {
            "function_hash": "146481541112807373127802835829083605915",
            "length": 482.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aea61a1a77613d4184d7ebe7c1d7cb606458b43b",
        "target": {
            "file": "drivers/android/binderfs.c",
            "function": "binderfs_evict_inode"
        }
    },
    {
        "id": "CVE-2025-38176-b28b0bbf",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "121653710167998391062604893388563627515",
                "311042695128883065678435978487373091430",
                "335055429017793763937790321469311729359",
                "55669058657084018424703270257411748028"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@80ed8ab8efa0d18c03968a2321154f10e2d1a2e3",
        "target": {
            "file": "drivers/android/binderfs.c"
        }
    },
    {
        "id": "CVE-2025-38176-c21ab434",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "253047366376412240523884290563236881522",
                "188699875395899283065053863930815751256"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aea61a1a77613d4184d7ebe7c1d7cb606458b43b",
        "target": {
            "file": "drivers/android/binder_internal.h"
        }
    },
    {
        "id": "CVE-2025-38176-dfea20a7",
        "signature_version": "v1",
        "digest": {
            "function_hash": "7937610985909077883505889824156344206",
            "length": 1341.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@80ed8ab8efa0d18c03968a2321154f10e2d1a2e3",
        "target": {
            "file": "drivers/android/binder.c",
            "function": "binder_init"
        }
    },
    {
        "id": "CVE-2025-38176-e0d924d5",
        "signature_version": "v1",
        "digest": {
            "function_hash": "110863635832872269905489005389576196562",
            "length": 87.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@80ed8ab8efa0d18c03968a2321154f10e2d1a2e3",
        "target": {
            "file": "drivers/android/binder.c",
            "function": "binder_add_device"
        }
    },
    {
        "id": "CVE-2025-38176-e7d636ff",
        "signature_version": "v1",
        "digest": {
            "function_hash": "44819571202962029830292265672046346574",
            "length": 604.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@80ed8ab8efa0d18c03968a2321154f10e2d1a2e3",
        "target": {
            "file": "drivers/android/binder.c",
            "function": "init_binder_device"
        }
    },
    {
        "id": "CVE-2025-38176-edf296a5",
        "signature_version": "v1",
        "digest": {
            "function_hash": "7937610985909077883505889824156344206",
            "length": 1341.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aea61a1a77613d4184d7ebe7c1d7cb606458b43b",
        "target": {
            "file": "drivers/android/binder.c",
            "function": "binder_init"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.14.11
Type
ECOSYSTEM
Events
Introduced
6.15.0
Fixed
6.15.2