CVE-2025-40028
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: binder: fix double-free in dbitmap A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap via dbitmap_free(). However, the driver calls dbitmap_free() again when the same process terminates, leading to a double-free error: ================================================================== BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c Free of addr ffff00000b7c1420 by task kworker/9:1/209 CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: kfree+0x164/0x31c binder_proc_dec_tmpref+0x2e0/0x55c binder_deferred_func+0xc24/0x1120 process_one_work+0x520/0xba4 [...] Allocated by task 448: __kmalloc_noprof+0x178/0x3c0 bitmap_zalloc+0x24/0x30 binder_open+0x14c/0xc10 [...] Freed by task 449: kfree+0x184/0x31c binder_inc_ref_for_node+0xb44/0xe44 binder_transaction+0x29b4/0x7fbc binder_thread_write+0x1708/0x442c binder_ioctl+0x1b50/0x2900 [...] ================================================================== Fix this issue by marking proc->map NULL in dbitmap_free().
EPSS Trends
Current EPSS score: 0.03%• Percentile: 9%
Affected Systems
- linux•linux
≥ 15d9da3f818cae676f822a04407d3c17b53357d2, < c301ec61ce6f16e21a36b99225ca8a20c1591e10 | ≥ 15d9da3f818cae676f822a04407d3c17b53357d2, < 0390633979969c54c0ce6a198d6f45cdbe2c84b1 | ≥ 15d9da3f818cae676f822a04407d3c17b53357d2, < b781e5635a3398e2b64440371233c2c5102cd6cb | ≥ 15d9da3f818cae676f822a04407d3c17b53357d2, < 3ebcd3460cad351f198c39c6edb4af519a0ed934 | 6.11