Rust’s First Breach: CVE-2025-68260 Marks the First Rust Vulnerability in the Linux Kernel

A vulnerability designated CVE-2025-68260 has been fixed in the Linux kernel—the first CVE formally assigned to Rust code in the mainline kernel. Greg Kroah-Hartman reported the issue, which affects the Android Binder driver rewritten in Rust and, in the worst case, could lead to system crashes.

At the heart of the bug lies an unsafe operation within the Rust-based Binder implementation, where an element is removed from a linked list while another thread may concurrently manipulate the same prev/next pointers. The design assumed that a NodeDeath object would never appear in a “foreign” list; in practice, however, a scenario emerged in which the same element could be processed simultaneously from multiple contexts.

The problem stemmed from the logic in Node::release: a lock was acquired, all elements were moved into a temporary stack-based list, the lock was released, and then the local list was traversed. If, in parallel, another thread invoked an unsafe removal on the original list, a race condition arose that corrupted the prev/next pointers, ultimately leading to memory corruption and kernel crashes. An example failure cited an “Unable to handle kernel paging request” error in the rust_binder module.

The fix involved rewriting Node::release to extract elements directly from the original list, eliminating the intermediate stack-based list altogether. According to the Linux kernel CVE team, the issue was introduced in Linux 6.18 (commit eafedbc7c050c44744fbdf80bdf3315e860b7513) and resolved in 6.18.1 (3428831264096d32f830a7fcfc7885dd263e511a), as well as in 6.19-rc1 (3e0ae02ba831da2b707905f4e602e43f8507b8cc). The affected file is drivers/android/binder/node.rs.

As a mitigation measure, the Linux kernel CVE team strongly recommends upgrading to a current stable kernel release: individual changes are not tested in isolation, and selective patch application is not officially supported. Where upgrading is not feasible, the necessary fixes can be found by referencing the cited commits in the stable branch repository.

Related Posts:

• Rust Lands in Windows 11 Kernel: A New Era for OS Security?
• Akira v2 Emerges: Rust-Based Ransomware Raises the Stakes
• CVE Foundation Launched to Secure Vulnerability Tracking