Vulnerability Details
A newly discovered flaw in the Linux kernel’s FUSE (Filesystem in Userspace) subsystem, tracked as CVE-2026-31694, allows a local attacker to escalate privileges to root. The vulnerability resides in the code path that caches directory entries from FUSE readdir operations. In the function fuse_add_dirent_to_cache(), the kernel calculates the size of a directory entry based on a filename length controlled by the FUSE server without verifying that the full entry fits within a single memory page.
A malicious FUSE server can return a directory entry with a serialized size of 4120 bytes on a system with 4 KiB memory pages, exceeding the page capacity by 24 bytes. When the kernel resets the offset to zero and copies the entry regardless, the overflow corrupts adjacent memory. The bug is exploitable only on kernels using 4 KiB page sizes; systems with larger page sizes are not affected by this specific overflow.
Impact and Exploitation
Researchers at Bynario demonstrated that the overflow can corrupt cached data from a SUID binary such as /usr/bin/su. By overwriting the beginning of the program’s executable code with a short payload that calls setuid(0) and setgid(0), an attacker can bypass authentication checks and spawn a root shell. The attack requires the ability to mount or run a FUSE filesystem, which may be achievable through unprivileged user namespaces or the fusermount3 utility.
The fix involves rejecting any directory entry that does not fit in a single page before caching it. Administrators can reduce exposure by limiting FUSE usage, removing the setuid bit from fusermount3 when not needed, and restricting unprivileged namespaces where appropriate.
Source: Cyber Security News
