Skip to main content

FreeBSD fusefs CVE-2026-45252

| EUVDEUVD-2026-31254 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-05-21 freebsd GHSA-fqrg-fvv5-42g2
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 15:24 vuln.today
Severity Changed
May 21, 2026 - 15:22 NVD
HIGH MEDIUM
CVSS changed
May 21, 2026 - 15:22 NVD
7.5 (HIGH) 5.5 (MEDIUM)
CVE Published
May 21, 2026 - 09:08 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.

If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.

AnalysisAI

FreeBSD's fusefs kernel module mishandles extended attribute list responses from FUSE userspace daemons by calling strlen() on daemon-supplied buffers without first verifying NUL-termination, enabling a malicious daemon operator to read up to 253 bytes of kernel heap memory or inject up to 250 attacker-controlled bytes into unallocated kernel heap space. Affected releases are FreeBSD 14.3-RELEASE prior to p14, 14.4-RELEASE prior to p5, and 15.0-RELEASE prior to p9 per FreeBSD-SA-26:20.fusefs and EUVD-2026-31254. No public exploit code exists and EPSS sits at 0.02% (5th percentile), though the heap write primitive carries local privilege escalation potential beyond what the CVSS integrity score reflects.

Technical ContextAI

The vulnerable component is FreeBSD's fusefs kernel module, which implements the in-kernel side of the FUSE (Filesystem in Userspace) protocol, bridging userspace daemon processes and the kernel VFS layer. The CWE-122 (Heap-based Buffer Overflow) root cause is a missing input validation step: when the kernel issues a FUSE_LISTXATTR request and receives the daemon's packed list of NUL-terminated attribute name strings, it passes that response buffer directly to strlen() without confirming the entire payload is properly NUL-terminated. A daemon response that omits the final NUL causes strlen() to read past the end of the heap-allocated receive buffer (over-read of up to 253 bytes), and the resulting miscalculated length can additionally cause a write of up to 250 attacker-controlled bytes into an adjacent unallocated heap region. The CPE cpe:2.3:a:freebsd:freebsd:*:*:*:*:*:*:*:* covers the FreeBSD base system; only deployments with fusefs loaded and FUSE filesystems mounted are exposed to this code path.

RemediationAI

Apply vendor-released patches by upgrading to FreeBSD 14.4-RELEASE-p5, FreeBSD 14.3-RELEASE-p14, or FreeBSD 15.0-RELEASE-p9 as appropriate, per the official advisory at https://security.freebsd.org/advisories/FreeBSD-SA-26:20.fusefs.asc. Until patching is feasible, a targeted compensating control is to disable user-mountable FUSE filesystems by setting the sysctl vfs.usermount=0 (and persisting it in /etc/sysctl.conf), which ensures only root-operated FUSE daemons - which imply full system trust - can trigger the vulnerable code path; the trade-off is that non-root users lose the ability to mount any filesystem type, including legitimate FUSE tools such as sshfs or gocryptfs. Alternatively, unloading or blacklisting the fusefs kernel module entirely eliminates exposure with the trade-off of disabling all FUSE functionality system-wide. No partial workaround that preserves untrusted-user FUSE access while mitigating the strlen over-read is documented in available references.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

CVE-2026-45252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy