Threat Advisory

Linux FUSE Vulnerability Grants Root Access via Overflow

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A Linux kernel vulnerability in the FUSE subsystem can allow a local attacker to gain root privileges by overflowing the page cache with attacker-controlled directory entries. The flaw is tracked as CVE-2026-31694 and affects the code path used when the kernel caches FUSE readdir results, allowing a malicious FUSE server to return a directory entry whose serialized size exceeds the capacity of a single page, causing memory corruption that can lead to the execution of arbitrary code within a SUID binary. This vulnerability has a CVSS score of 7.5 and is exploitable on newer kernels with large readdir buffers, specifically those using 4 KiB memory pages. The attack vector is local, requiring the ability to mount or run a FUSE filesystem available through unprivileged user namespaces or fusermount3. The business impact is significant, as an attacker can bypass authentication checks and spawn a root shell, highlighting the importance of limiting FUSE use, removing setuid bits from fusermount3 when not needed, and restricting unprivileged namespaces to mitigate this vulnerability.

RECOMMENDATION:

We recommend you to update Linux kernel to given version link: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=474ce83c96a55f2eeb14dee2be375eeadfdacdf5[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A Linux kernel vulnerability in the FUSE subsystem can allow a local attacker to gain root privileges by overflowing the page cache with attacker-controlled directory entries. The flaw is tracked as CVE-2026-31694 and affects the code path used when the kernel caches FUSE readdir results, allowing a malicious FUSE server to return a directory entry whose serialized size exceeds the capacity of a single page, causing memory corruption that can lead to the execution of arbitrary code within a SUID binary. This vulnerability has a CVSS score of 7.5 and is exploitable on newer kernels with large readdir buffers, specifically those using 4 KiB memory pages. The attack vector is local, requiring the ability to mount or run a FUSE filesystem available through unprivileged user namespaces or fusermount3. The business impact is significant, as an attacker can bypass authentication checks and spawn a root shell, highlighting the importance of limiting FUSE use, removing setuid bits from fusermount3 when not needed, and restricting unprivileged namespaces to mitigate this vulnerability.

RECOMMENDATION:

We recommend you to update Linux kernel to given version link: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=474ce83c96a55f2eeb14dee2be375eeadfdacdf5[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu