{"id":"CVE-2025-38176","summary":"binder: fix use-after-free in binderfs_evict_inode()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in binderfs_evict_inode()\n\nRunning 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled\nkernel, I've noticed the following:\n\nBUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0\nWrite of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699\n\nCPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x1c2/0x2a0\n ? __pfx_dump_stack_lvl+0x10/0x10\n ? __pfx__printk+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? __virt_addr_valid+0x18c/0x540\n ? __virt_addr_valid+0x469/0x540\n print_report+0x155/0x840\n ? __virt_addr_valid+0x18c/0x540\n ? __virt_addr_valid+0x469/0x540\n ? __phys_addr+0xba/0x170\n ? binderfs_evict_inode+0x1de/0x2d0\n kasan_report+0x147/0x180\n ? binderfs_evict_inode+0x1de/0x2d0\n binderfs_evict_inode+0x1de/0x2d0\n ? __pfx_binderfs_evict_inode+0x10/0x10\n evict+0x524/0x9f0\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_evict+0x10/0x10\n ? do_raw_spin_unlock+0x4d/0x210\n ? _raw_spin_unlock+0x28/0x50\n ? iput+0x697/0x9b0\n __dentry_kill+0x209/0x660\n ? shrink_kill+0x8d/0x2c0\n shrink_kill+0xa9/0x2c0\n shrink_dentry_list+0x2e0/0x5e0\n shrink_dcache_parent+0xa2/0x2c0\n ? __pfx_shrink_dcache_parent+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n do_one_tree+0x23/0xe0\n shrink_dcache_for_umount+0xa0/0x170\n generic_shutdown_super+0x67/0x390\n kill_litter_super+0x76/0xb0\n binderfs_kill_super+0x44/0x90\n deactivate_locked_super+0xb9/0x130\n cleanup_mnt+0x422/0x4c0\n ? lockdep_hardirqs_on+0x9d/0x150\n task_work_run+0x1d2/0x260\n ? __pfx_task_work_run+0x10/0x10\n resume_user_mode_work+0x52/0x60\n syscall_exit_to_user_mode+0x9a/0x120\n do_syscall_64+0x103/0x210\n ? asm_sysvec_apic_timer_interrupt+0x1a/0x20\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0xcac57b\nCode: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8\nRSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\nRAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850\nRBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff\nR10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718\nR13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830\n \u003c/TASK\u003e\n\nAllocated by task 1705:\n kasan_save_track+0x3e/0x80\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc_cache_noprof+0x213/0x3e0\n binderfs_binder_device_create+0x183/0xa80\n binder_ctl_ioctl+0x138/0x190\n __x64_sys_ioctl+0x120/0x1b0\n do_syscall_64+0xf6/0x210\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 1705:\n kasan_save_track+0x3e/0x80\n kasan_save_free_info+0x46/0x50\n __kasan_slab_free+0x62/0x70\n kfree+0x194/0x440\n evict+0x524/0x9f0\n do_unlinkat+0x390/0x5b0\n __x64_sys_unlink+0x47/0x50\n do_syscall_64+0xf6/0x210\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis 'stress-ng' workload causes the concurrent deletions from\n'binder_devices' and so requires full-featured synchronization\nto prevent list corruption.\n\nI've found this issue independently but pretty sure that syzbot did\nthe same, so Reported-by: and Closes: should be applicable here as well.","modified":"2026-04-02T12:47:50.748043Z","published":"2025-07-04T10:39:57.229Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38176.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/80ed8ab8efa0d18c03968a2321154f10e2d1a2e3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8c0a559825281764061a127632e5ad273f0466ad"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aea61a1a77613d4184d7ebe7c1d7cb606458b43b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38176.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38176"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e77aff5528a183462714f750e45add6cc71e276a"},{"fixed":"80ed8ab8efa0d18c03968a2321154f10e2d1a2e3"},{"fixed":"aea61a1a77613d4184d7ebe7c1d7cb606458b43b"},{"fixed":"8c0a559825281764061a127632e5ad273f0466ad"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38176.json"}}],"schema_version":"1.7.5"}