Skip to main content

Linux Kernel CVE-2026-53167

| EUVDEUVD-2026-39258 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vg6g-9h68-878w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.3 MEDIUM

AC:H reflects the non-default init_on_alloc=0 prerequisite; C:H captures kernel memory leakage explicitly described; A:L for potential aberrant FUSE behavior; AV:L and PR:L match CVSS and description constraints.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 20:27 vuln.today
CVSS changed
Jul 06, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios

FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios can contain uninitialized data. Since FUSE_NOTIFY_RETRIEVE is intended to only return data that is already in the page cache and not wait for data from the FUSE daemon, treat !uptodate folios as if they weren't present.

This only has security impact on systems that don't enable automatic zero-initialization of all page allocations via CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1.

AnalysisAI

Uninitialized memory exposure in the Linux kernel FUSE subsystem allows a local attacker to read residual kernel page cache data via the FUSE_NOTIFY_RETRIEVE notification path. The flaw affects systems where folios not marked 'uptodate' are returned to FUSE daemons rather than treated as absent - a condition with direct security impact only on kernels built or booted without automatic page-allocation zeroing (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local user access on target system
Delivery
Interact with accessible FUSE filesystem
Exploit
Trigger FUSE_NOTIFY_RETRIEVE against non-uptodate folio
Execution
Kernel returns uninitialized page cache bytes
Impact
Read residual kernel memory contents

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) local system access with at least low privileges (CVSS PR:L); (2) the fuse kernel module loaded and a FUSE filesystem accessible to the attacker; (3) the kernel running without CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the init_on_alloc=1 boot parameter - the CVE description explicitly states that systems with these settings do NOT have a security impact from this flaw. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) assigns high availability impact but zero confidentiality impact - this conflicts with both the 'Information Disclosure' tag and the description's explicit statement that the issue has 'security impact on systems that don't enable automatic zero-initialization.' This discrepancy is unresolved and should be verified with kernel maintainers or the reporter (416baaa9-dc9f-4396-8d5f-8c081fb06d67). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user on a system without init_on_alloc enabled interacts with a FUSE-backed filesystem and crafts a sequence of operations that triggers FUSE_NOTIFY_RETRIEVE against a folio the kernel has not yet populated with valid data. The kernel, lacking the fix, returns the folio's uninitialized bytes - which may contain residual data from prior kernel allocations - to the FUSE daemon process. …
Remediation Upgrade to Linux kernel 7.1, 7.0.13, or 6.18.36, which contain the targeted fix treating non-uptodate folios as absent in FUSE_NOTIFY_RETRIEVE. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53167 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy