CVE-2025-40028

NONE EPSS 8.1%
Published Oct 28, 20258mo ago · Modified Jun 17, 20262w ago
Find Similar
Published Oct 28, 2025 8mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: binder: fix double-free in dbitmap A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap via dbitmap_free(). However, the driver calls dbitmap_free() again when the same process terminates, leading to a double-free error: ================================================================== BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c Free of addr ffff00000b7c1420 by task kworker/9:1/209 CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: kfree+0x164/0x31c binder_proc_dec_tmpref+0x2e0/0x55c binder_deferred_func+0xc24/0x1120 process_one_work+0x520/0xba4 [...] Allocated by task 448: __kmalloc_noprof+0x178/0x3c0 bitmap_zalloc+0x24/0x30 binder_open+0x14c/0xc10 [...] Freed by task 449: kfree+0x184/0x31c binder_inc_ref_for_node+0xb44/0xe44 binder_transaction+0x29b4/0x7fbc binder_thread_write+0x1708/0x442c binder_ioctl+0x1b50/0x2900 [...] ================================================================== Fix this issue by marking proc->map NULL in dbitmap_free().

Threat Intelligence

EPSS Exploit Probability
8.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 4

  • git.kernel.org https://git.kernel.org/stable/c/0390633979969c54c0ce6a198d6f45cdbe2c84b1
  • git.kernel.org https://git.kernel.org/stable/c/3ebcd3460cad351f198c39c6edb4af519a0ed934
  • git.kernel.org https://git.kernel.org/stable/c/b781e5635a3398e2b64440371233c2c5102cd6cb
  • git.kernel.org https://git.kernel.org/stable/c/c301ec61ce6f16e21a36b99225ca8a20c1591e10

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.