Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AC:H reflects the non-default init_on_alloc=0 prerequisite; C:H captures kernel memory leakage explicitly described; A:L for potential aberrant FUSE behavior; AV:L and PR:L match CVSS and description constraints.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios can contain uninitialized data. Since FUSE_NOTIFY_RETRIEVE is intended to only return data that is already in the page cache and not wait for data from the FUSE daemon, treat !uptodate folios as if they weren't present.
This only has security impact on systems that don't enable automatic zero-initialization of all page allocations via CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1.
AnalysisAI
Uninitialized memory exposure in the Linux kernel FUSE subsystem allows a local attacker to read residual kernel page cache data via the FUSE_NOTIFY_RETRIEVE notification path. The flaw affects systems where folios not marked 'uptodate' are returned to FUSE daemons rather than treated as absent - a condition with direct security impact only on kernels built or booted without automatic page-allocation zeroing (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) local system access with at least low privileges (CVSS PR:L); (2) the fuse kernel module loaded and a FUSE filesystem accessible to the attacker; (3) the kernel running without CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the init_on_alloc=1 boot parameter - the CVE description explicitly states that systems with these settings do NOT have a security impact from this flaw. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) assigns high availability impact but zero confidentiality impact - this conflicts with both the 'Information Disclosure' tag and the description's explicit statement that the issue has 'security impact on systems that don't enable automatic zero-initialization.' This discrepancy is unresolved and should be verified with kernel maintainers or the reporter (416baaa9-dc9f-4396-8d5f-8c081fb06d67). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged user on a system without init_on_alloc enabled interacts with a FUSE-backed filesystem and crafts a sequence of operations that triggers FUSE_NOTIFY_RETRIEVE against a folio the kernel has not yet populated with valid data. The kernel, lacking the fix, returns the folio's uninitialized bytes - which may contain residual data from prior kernel allocations - to the FUSE daemon process. … |
| Remediation | Upgrade to Linux kernel 7.1, 7.0.13, or 6.18.36, which contain the targeted fix treating non-uptodate folios as absent in FUSE_NOTIFY_RETRIEVE. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-908 – Use of Uninitialized Resource
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39258
GHSA-vg6g-9h68-878w