CVE-2026-31694

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the fuse add dirent to cache() function where the system computes a serialized directory entry (dirent) size based on the server-controlled namelen field and copies it into a single page-cache page. The logic fails to verify if the dirent itself exceeds the PAGE SIZE, only checking if it fits in the remaining space of the current page. Consequently, a malicious FUSE server can provide a dirent with namelen set to 4095, resulting in a serialized record size of 4120 bytes. On systems with 4 KiB pages, this leads to a memcpy() operation that overflows the cache page by 24 bytes into the subsequent kernel page.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.