PT-2026-36324 · Linux · Linux Kernel

Published

2026-04-20

·

Updated

2026-07-03

·

CVE-2026-31694

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux Kernel (affected versions not specified)
Description An out-of-bounds write issue exists in the fuse add dirent to cache() function. The system calculates a serialized directory entry (dirent) size using the server-controlled namelen field and copies the entry into a single page-cache page. Because the logic only verifies if the entry fits in the remaining space of the current page and fails to check if the entry itself exceeds the PAGE SIZE, a malicious FUSE server can provide a namelen of 4095. This results in a serialized record size of 4120 bytes, causing a memcpy() operation to overflow the cache page by 24 bytes into the subsequent kernel page on systems with 4 KiB pages. A local low-privileged attacker can exploit this by interacting with a malicious FUSE filesystem to achieve kernel memory corruption, local privilege escalation to root, denial of service, or arbitrary code execution in the kernel context.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09090
CVE-2026-31694
ECHO-108A-C04C-F9EF
OPENSUSE-SU-2026:10793-1
SUSE-SU-2026:2195-1
SUSE-SU-2026:22276-1
SUSE-SU-2026:22277-1
SUSE-SU-2026:22278-1
SUSE-SU-2026:22279-1
SUSE-SU-2026:22280-1
SUSE-SU-2026:22281-1
SUSE-SU-2026:22282-1
SUSE-SU-2026:22283-1
SUSE-SU-2026:22288-1
SUSE-SU-2026:2238-1
SUSE-SU-2026:22383-1
SUSE-SU-2026:22384-1
SUSE-SU-2026:22385-1
SUSE-SU-2026:22386-1
SUSE-SU-2026:22387-1
SUSE-SU-2026:22388-1
SUSE-SU-2026:22389-1
SUSE-SU-2026:22390-1
SUSE-SU-2026:22391-1
SUSE-SU-2026:22396-1
SUSE-SU-2026:22397-1
SUSE-SU-2026:22398-1
SUSE-SU-2026:22399-1
SUSE-SU-2026:22400-1
SUSE-SU-2026:22401-1
SUSE-SU-2026:22402-1
SUSE-SU-2026:22403-1
SUSE-SU-2026:22404-1
SUSE-SU-2026:22405-1
SUSE-SU-2026:22406-1
SUSE-SU-2026:22407-1
SUSE-SU-2026:22408-1
SUSE-SU-2026:22409-1
SUSE-SU-2026:22410-1
SUSE-SU-2026:22411-1
SUSE-SU-2026:22412-1
SUSE-SU-2026:22413-1
SUSE-SU-2026:22414-1
SUSE-SU-2026:22415-1
SUSE-SU-2026:22416-1
SUSE-SU-2026:22417-1
SUSE-SU-2026:22418-1
SUSE-SU-2026:22419-1
SUSE-SU-2026:22420-1
SUSE-SU-2026:22421-1
SUSE-SU-2026:22425-1
SUSE-SU-2026:22426-1
SUSE-SU-2026:22427-1
SUSE-SU-2026:22428-1
SUSE-SU-2026:22461-1
SUSE-SU-2026:22462-1
SUSE-SU-2026:22463-1
SUSE-SU-2026:22464-1
SUSE-SU-2026:22465-1
SUSE-SU-2026:22466-1
SUSE-SU-2026:22467-1
SUSE-SU-2026:22468-1
SUSE-SU-2026:22469-1
SUSE-SU-2026:22470-1
SUSE-SU-2026:22471-1
SUSE-SU-2026:22472-1
SUSE-SU-2026:22473-1
SUSE-SU-2026:22474-1
SUSE-SU-2026:22475-1
SUSE-SU-2026:22476-1
SUSE-SU-2026:22478-1
SUSE-SU-2026:22479-1
SUSE-SU-2026:22480-1
SUSE-SU-2026:22481-1
SUSE-SU-2026:22482-1
SUSE-SU-2026:22483-1
SUSE-SU-2026:22484-1
SUSE-SU-2026:22485-1
SUSE-SU-2026:22486-1
SUSE-SU-2026:22487-1
SUSE-SU-2026:22488-1
SUSE-SU-2026:22489-1
SUSE-SU-2026:22490-1
SUSE-SU-2026:22491-1
SUSE-SU-2026:2496-1
SUSE-SU-2026:2500-1
SUSE-SU-2026:2503-1
SUSE-SU-2026:2511-1
SUSE-SU-2026:2520-1
SUSE-SU-2026:2532-1
SUSE-SU-2026:2559-1
SUSE-SU-2026:2567-1
SUSE-SU-2026:2571-1
SUSE-SU-2026:2588-1
SUSE-SU-2026:2594-1
SUSE-SU-2026:2601-1
SUSE-SU-2026:2607-1
SUSE-SU-2026:2608-1
SUSE-SU-2026:2610-1
USN-8488-1
USN-8488-2

Affected Products

Linux Kernel