PT-2026-36324 · Linux · Linux Kernel
Published
2026-04-20
·
Updated
2026-07-03
·
CVE-2026-31694
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux Kernel (affected versions not specified)
Description
An out-of-bounds write issue exists in the
fuse add dirent to cache() function. The system calculates a serialized directory entry (dirent) size using the server-controlled namelen field and copies the entry into a single page-cache page. Because the logic only verifies if the entry fits in the remaining space of the current page and fails to check if the entry itself exceeds the PAGE SIZE, a malicious FUSE server can provide a namelen of 4095. This results in a serialized record size of 4120 bytes, causing a memcpy() operation to overflow the cache page by 24 bytes into the subsequent kernel page on systems with 4 KiB pages. A local low-privileged attacker can exploit this by interacting with a malicious FUSE filesystem to achieve kernel memory corruption, local privilege escalation to root, denial of service, or arbitrary code execution in the kernel context.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux Kernel