So what happened is, CVE-2025-68260 affects the Android Binder driver, which was rewritten in Rust for Linux 6.18 and newer. The driver handles communication between different parts of Android.
The bug happens when different parts of the code try to access the same list at the same time (the technical term is “a data race“). This creates a timing issue that messes things up, and the system crashes.
But here’s the thing: it only causes crashes. It does not let attackers take over your system, steal data, or run malicious code. That is very different from typical memory bugs found in C code, which could allow those things.
In a post on social.kernel.org, Greg put it like this:
Rust is is not a “silver bullet” that can solve all security problems, but it sure helps out a lot and will cut out huge swatches of Linux kernel vulnerabilities as it gets used more widely in our codebase.
That being said, we just assigned our first CVE for some Rust code in the kernel: https://lore.kernel.org/all/2025121614-CVE-2025-68260-558d@gregkh/ where the offending issue just causes a crash, not the ability to take advantage of the memory corruption, a much better thing overall.
Note the other 159 kernel CVEs issued today for fixes in the C portion of the codebase, so as always, everyone should be upgrading to newer kernels to remain secure overall.
You see what he’s saying? 🤔
On the same day this Rust CVE was announced, 159 other CVEs were issued for the C portions of the kernel. Greg’s message is clear: Rust isn’t perfect, but it’s helping.
The fix is already available. If you are running Linux 6.18, then update to 6.18.1 or later, and the same is already live in 6.19-RC1. The Linux kernel CVE team recommends updating to the latest stable version rather than trying to cherry-pick individual patches.
Of course this CVE is sure to ruffle some feathers because it is related to Rust. But beyond that, it’s good to see the kernel team continuing to deliver patches consistently, regardless of which language the bugs are in. That’s what matters at the end of the day.
Via: Phoronix
Suggested Read 📖: The Tor Project is Making a Switch to Rust, Ditches C
