A Linux kernel vulnerability in the FUSE subsystem can allow a local attacker to gain root privileges by overflowing the page cache with attacker-controlled directory entries. The flaw is tracked as CVE-2026-31694 and affects the code path used when the kernel caches FUSE readdir results, allowing a malicious FUSE server to return a directory entry whose serialized size exceeds the capacity of a single page, causing memory corruption that can lead to the execution of arbitrary code within a SUID binary. This vulnerability has a CVSS score of 7.5 and is exploitable on newer kernels with large readdir buffers, specifically those using 4 KiB memory pages. The attack vector is local, requiring the ability to mount or run a FUSE filesystem available through unprivileged user namespaces or fusermount3. The business impact is significant, as an attacker can bypass authentication checks and spawn a root shell, highlighting the importance of limiting FUSE use, removing setuid bits from fusermount3 when not needed, and restricting unprivileged namespaces to mitigate this vulnerability.
We recommend you to update Linux kernel to given version link: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=474ce83c96a55f2eeb14dee2be375eeadfdacdf5[/subscribe_to_unlock_form]
A Linux kernel vulnerability in the FUSE subsystem can allow a local attacker to gain root privileges by overflowing the page cache with attacker-controlled directory entries. The flaw is tracked as CVE-2026-31694 and affects the code path used when the kernel caches FUSE readdir results, allowing a malicious FUSE server to return a directory entry whose serialized size exceeds the capacity of a single page, causing memory corruption that can lead to the execution of arbitrary code within a SUID binary. This vulnerability has a CVSS score of 7.5 and is exploitable on newer kernels with large readdir buffers, specifically those using 4 KiB memory pages. The attack vector is local, requiring the ability to mount or run a FUSE filesystem available through unprivileged user namespaces or fusermount3. The business impact is significant, as an attacker can bypass authentication checks and spawn a root shell, highlighting the importance of limiting FUSE use, removing setuid bits from fusermount3 when not needed, and restricting unprivileged namespaces to mitigate this vulnerability.
We recommend you to update Linux kernel to given version link: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=474ce83c96a55f2eeb14dee2be375eeadfdacdf5[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]