Description
In the Linux kernel, the following vulnerability has been resolved:

fuse: reject oversized dirents in page cache

fuse_add_dirent_to_cache() computes a serialized dirent size from the
server-controlled namelen field and copies the dirent into a single
page-cache page. The existing logic only checks whether the dirent fits
in the remaining space of the current page and advances to a fresh page
if not. It never checks whether the dirent itself exceeds PAGE_SIZE.

As a result, a malicious FUSE server can return a dirent with
namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB
page systems this causes memcpy() to overflow the cache page by 24 bytes
into the following kernel page.

Reject dirents that cannot fit in a single page before copying them into
the readdir cache.
Published: 2026-05-01
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is in the Linux kernel’s FUSE filesystem. The fuse_add_dirent_to_cache() routine copies directory entries received from a FUSE server into page‑cache memory without ensuring that the entry fits within a single 4 KiB page. A malicious server can send a name length of 4095 bytes, causing the serialized record to be 4120 bytes. The resulting memcpy() writes past the end of the page buffer by 24 bytes into the next kernel page, corrupting kernel memory. Depending on the context, this can trigger a kernel crash, disrupt data integrity, or provide a ground for privilege escalation.

Affected Systems

All Linux kernel releases that still contain the original fuse_add_dirent_to_cache() implementation are vulnerable. The patch that rejects oversized dirents is present in the commit referenced by the advisory; any distribution shipping kernels that have not incorporated this commit remains affected, regardless of other updates.

Risk and Exploitability

The CVSS score of 7.0 marks the issue as high severity. The EPSS score is unavailable and it is not listed in CISA KEV, indicating limited public exploitation data. Exploitation requires control of a FUSE server that a vulnerable system mounts or the ability to mount a deleterious FUSE filesystem locally. After mounting, the attacker can trigger the overflow by issuing a readdir operation. The attack surface is therefore limited to environments where FUSE mounts expose remote or untrusted servers.

Generated by OpenCVE AI on May 2, 2026 at 10:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the FUSE dirent size check fix.
  • If an update cannot be applied immediately, disable or limit FUSE mounts to trusted users and remove unnecessary FUSE filesystem mounts.
  • Apply any security updates or backports that contain the kernel commit which rejects oversized dirents.

Generated by OpenCVE AI on May 2, 2026 at 10:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache.
Title fuse: reject oversized dirents in page cache
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T13:53:36.048Z

Reserved: 2026-03-09T15:48:24.131Z

Link: CVE-2026-31694

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:19.133

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31694

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31694 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:30:05Z

Weaknesses