CVE-2025-40028

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-40028
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40028.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40028
Downstream
Published
2025-10-28T09:32:35.681Z
Modified
2025-12-03T02:11:35.871289Z
Summary
binder: fix double-free in dbitmap
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix double-free in dbitmap

A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmapgrow() fails and frees the old bitmap via dbitmapfree(). However, the driver calls dbitmap_free() again when the same process terminates, leading to a double-free error:

================================================================== BUG: KASAN: double-free in binderprocdec_tmpref+0x2e0/0x55c Free of addr ffff00000b7c1420 by task kworker/9:1/209

CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT Hardware name: linux,dummy-virt (DT) Workqueue: events binderdeferredfunc Call trace: kfree+0x164/0x31c binderprocdectmpref+0x2e0/0x55c binderdeferredfunc+0xc24/0x1120 processone_work+0x520/0xba4 [...]

Allocated by task 448: _kmallocnoprof+0x178/0x3c0 bitmapzalloc+0x24/0x30 binderopen+0x14c/0xc10 [...]

Freed by task 449: kfree+0x184/0x31c binderincreffornode+0xb44/0xe44 bindertransaction+0x29b4/0x7fbc binderthreadwrite+0x1708/0x442c binderioctl+0x1b50/0x2900 [...] ==================================================================

Fix this issue by marking proc->map NULL in dbitmap_free().

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40028.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
15d9da3f818cae676f822a04407d3c17b53357d2
Fixed
c301ec61ce6f16e21a36b99225ca8a20c1591e10
Fixed
0390633979969c54c0ce6a198d6f45cdbe2c84b1
Fixed
b781e5635a3398e2b64440371233c2c5102cd6cb
Fixed
3ebcd3460cad351f198c39c6edb4af519a0ed934

Affected versions

v6.*

v6.10
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.10
v6.16.11
v6.16.2
v6.16.3
v6.16.4
v6.16.5
v6.16.6
v6.16.7
v6.16.8
v6.16.9
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.17.1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.12.52
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.16.12
Type
ECOSYSTEM
Events
Introduced
6.17.0
Fixed
6.17.2