Skip to main content

Linux Kernel FUSE CVE-2026-31694

| EUVDEUVD-2026-26503 HIGH
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 09:31 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26503
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fuse: reject oversized dirents in page cache

fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE.

As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page.

Reject dirents that cannot fit in a single page before copying them into the readdir cache.

AnalysisAI

A malicious FUSE server can trigger a 24-byte buffer overflow in the Linux kernel's FUSE directory cache implementation on 4 KiB page systems. The fuse_add_dirent_to_cache() function fails to validate that directory entries fit within PAGE_SIZE before copying them to page cache, allowing a server-controlled namelen value of 4095 to produce a 4120-byte serialized record that overflows into adjacent kernel memory. This enables local attackers with FUSE mount privileges to achieve high-severity impacts including arbitrary kernel memory corruption. EPSS exploitation probability is notably low (0.02%, 5th percentile) despite the 7.8 CVSS score, and no public exploit has been identified. Patches are available across multiple stable kernel versions (6.6.136, 6.12.84, 7.0.2, 7.1-rc1, 6.18.25).

Technical ContextAI

This vulnerability affects the Linux kernel's FUSE (Filesystem in Userspace) subsystem, specifically the readdir caching mechanism introduced in kernel 4.20 (commit 69e34551152a). FUSE allows userspace programs to implement filesystems, with the kernel handling VFS operations and communicating with the userspace server. The fuse_add_dirent_to_cache() function serializes directory entries (dirents) into page cache for performance optimization. The serialized format includes a fixed-size header plus the variable-length filename, with total size calculated as FUSE_DIRENT_ALIGN(FUSE_NAME_OFFSET + namelen). On systems with 4096-byte pages, a namelen of 4095 produces a 4120-byte record (header overhead + alignment), exceeding PAGE_SIZE by 24 bytes. The vulnerability stems from incomplete bounds checking: the code verifies dirents fit in remaining page space but never validates against absolute PAGE_SIZE limits before memcpy(), trusting server-provided length fields. This represents a classic integer-to-buffer-size validation gap where architectural assumptions (single-page records) lack enforcement against malicious inputs.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.136 or later for the 6.6.x LTS series, 6.12.84+ for 6.12.x, 6.18.25+ for 6.18.x, 7.0.2+ for 7.0.x, or 7.1-rc1+ for mainline kernels. Patch implementation adds explicit PAGE_SIZE validation before copying dirents to cache (commits available at https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f and series). For systems where immediate kernel updates are not feasible, apply these compensating controls with noted trade-offs: (1) Disable FUSE support entirely via 'echo "install fuse /bin/true" > /etc/modprobe.d/disable-fuse.conf' and blacklist the module-this breaks legitimate FUSE-based applications like AppImage, snapd, and user-mounted filesystems; (2) Restrict FUSE mount capabilities by removing CAP_SYS_ADMIN from untrusted users and disabling user_allow_other in /etc/fuse.conf-reduces attack surface but may impact multi-user systems; (3) In containerized environments, block FUSE device access via seccomp profiles or device cgroup denylists (devices.deny = c 10:229 rwm)-prevents exploitation in containers but breaks container-based FUSE workflows. Validation of patch application can be confirmed by checking kernel version (uname -r) against the fixed versions listed above. Distribution-specific advisories should be monitored for backported patches in vendor kernels.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy