Description
In the Linux kernel, the following vulnerability has been resolved:

fuse: reject oversized dirents in page cache

fuse_add_dirent_to_cache() computes a serialized dirent size from the
server-controlled namelen field and copies the dirent into a single
page-cache page. The existing logic only checks whether the dirent fits
in the remaining space of the current page and advances to a fresh page
if not. It never checks whether the dirent itself exceeds PAGE_SIZE.

As a result, a malicious FUSE server can return a dirent with
namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB
page systems this causes memcpy() to overflow the cache page by 24 bytes
into the following kernel page.

Reject dirents that cannot fit in a single page before copying them into
the readdir cache.
Published: 2026-05-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel the fuse_add_dirent_to_cache routine copies directory entries from a FUSE server into page‑cache memory without ensuring that a single entry fits within a 4 KiB page. A server can supply a namelen of 4095, producing a serialized record of 4120 bytes. The memcpy operation then writes 24 bytes past the end of the cache page, corrupting the subsequent kernel page.

Affected Systems

All Linux kernel releases that have not incorporated the commit that rejects oversized dirents are vulnerable. Distributions shipping kernels that lack this patch remain affected regardless of other updates.

Risk and Exploitability

The CVSS score of 7.8 classifies the issue as high severity. The EPSS score is less than 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating limited known exploitation. Based on the description, it is inferred that exploitation requires a FUSE server that the vulnerable system mounts or the attacker having the ability to mount a malicious local FUSE filesystem. After the mount, a readdir operation can trigger the overflow, potentially leading to kernel memory corruption and a system crash or data corruption.

Generated by OpenCVE AI on May 6, 2026 at 21:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit rejecting oversized dirents
  • If an update cannot be applied immediately, disable or restrict FUSE mounts to trusted users and remove unnecessary FUSE filesystem mounts
  • Apply any security updates or backports that contain the kernel commit which rejects oversized dirents

Generated by OpenCVE AI on May 6, 2026 at 21:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache.
Title fuse: reject oversized dirents in page cache
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:55.223Z

Reserved: 2026-03-09T15:48:24.131Z

Link: CVE-2026-31694

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T14:16:19.133

Modified: 2026-05-06T19:23:22.460

Link: CVE-2026-31694

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31694 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:00:14Z

Weaknesses