Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access and low-privilege user required to trigger FUSE path; only availability impact confirmed, no confidentiality or integrity effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix uninit-value in fuse_dentry_revalidate()
fuse_dentry_revalidate() may be called with a dentry that didn't had ->d_time initialised. The issue was found with KMSAN, where lookup_open() calls __d_alloc(), followed by d_revalidate(), as shown below:
============= BUG: KMSAN: uninit-value in fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394 fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394 d_revalidate fs/namei.c:1030 [inline] lookup_open fs/namei.c:4405 [inline] open_last_lookups fs/namei.c:4583 [inline] path_openat+0x1614/0x64c0 fs/namei.c:4827 do_file_open+0x2aa/0x680 fs/namei.c:4859 [...]
Uninit was created at: slab_post_alloc_hook mm/slub.c:4466 [inline] slab_alloc_node mm/slub.c:4788 [inline] kmem_cache_alloc_lru_noprof+0x382/0x1280 mm/slub.c:4807 __d_alloc+0x55/0xa00 fs/dcache.c:1740 d_alloc_parallel+0x99/0x2740 fs/dcache.c:2604 lookup_open fs/namei.c:4398 [inline] open_last_lookups fs/namei.c:4583 [inline] path_openat+0x135f/0x64c0 fs/namei.c:4827 do_file_open+0x2aa/0x680 fs/namei.c:4859 [...] =============
AnalysisAI
Uninitialized memory read in the Linux kernel FUSE filesystem driver causes local denial-of-service conditions. Specifically, fuse_dentry_revalidate() in fs/fuse/dir.c reads the ->d_time field of a dentry that was allocated by __d_alloc() without initialization, detectable by KMSAN as a use-before-initialize defect. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local authenticated access (CVSS PR:L) to a system running an affected kernel version. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately reflects local, low-complexity exploitation with high availability impact and no confidentiality or integrity consequence - consistent with a kernel crash triggered by an authenticated local user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on a Linux system running an affected kernel mounts a FUSE filesystem using a userspace program (e.g., sshfs, bindfs, or a custom FUSE implementation). The user then opens a file within that mount, triggering `lookup_open()` in the kernel's VFS layer, which allocates an uninitialized dentry and immediately passes it to `fuse_dentry_revalidate()`. … |
| Remediation | The primary fix is to update to a patched Linux kernel version: 7.0.10 or later in the 7.0.x series, 6.18.34 or later in the 6.18.x series, or 7.1 and later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-908 – Use of Uninitialized Resource
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39846
GHSA-32q2-cq6r-mpm8