CVE-2026-45252 - Vulnerability Details

- Heap overflow in FUSE_LISTXATTR

Description

When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.

If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.

Published: 2026-05-21

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CVE describes a heap overflow that occurs when the FreeBSD kernel processes a FUSE_LISTXATTR request containing an extended attribute list that is not properly NUL-terminated. Because the kernel does not verify that the entire list of NUL-terminated strings is completed, it may read past the bounds of one heap buffer and write beyond the bounds of a second buffer. The overflow can expose up to 253 bytes of kernel heap memory or allow a malicious daemon to inject up to 250 attacker-controlled bytes into unallocated kernel heap space, potentially compromising kernel integrity and privilege.

Affected Systems

FreeBSD operating systems that include the kernel FUSE filesystem module are impacted. No specific kernel revisions are cited; therefore any FreeBSD release that implements the FUSE module may be affected.

Risk and Exploitability

The CVSS score of 5.5 reflects a medium severity, while the EPSS score of <1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker must control a userspace FUSE daemon capable of sending a malformed FUSE_LISTXATTR message. When such a message is processed by the kernel, the resulting overflow can corrupt kernel heap metadata or overwrite critical structures, which could lead to information disclosure or privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FreeBSD

unknown

Version	Status	Constraints
`15.0-RELEASE`	affected	< p9
`14.4-RELEASE`	affected	< p5
`14.3-RELEASE`	affected	< p14

Configuration 1 [-]

OR	cpe:2.3:o:freebsd:freebsd:14.3:-::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p1::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p10::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p11::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p12::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p13::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p2::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p3::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p4::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p5::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p6::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p7::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p8::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p9::::::
	cpe:2.3:o:freebsd:freebsd:14.4:-::::::
	cpe:2.3:o:freebsd:freebsd:14.4:p1::::::
	cpe:2.3:o:freebsd:freebsd:14.4:p2::::::
	cpe:2.3:o:freebsd:freebsd:14.4:p3::::::
	cpe:2.3:o:freebsd:freebsd:14.4:p4::::::
	cpe:2.3:o:freebsd:freebsd:14.4:rc1::::::
	cpe:2.3:o:freebsd:freebsd:15.0:-::::::
	cpe:2.3:o:freebsd:freebsd:15.0:p1::::::
	cpe:2.3:o:freebsd:freebsd:15.0:p2::::::
	cpe:2.3:o:freebsd:freebsd:15.0:p3::::::
	cpe:2.3:o:freebsd:freebsd:15.0:p4::::::
	cpe:2.3:o:freebsd:freebsd:15.0:p5::::::
	cpe:2.3:o:freebsd:freebsd:15.0:p6::::::
	cpe:2.3:o:freebsd:freebsd:15.0:p7::::::
	cpe:2.3:o:freebsd:freebsd:15.0:p8::::::

No data.

Vendor Product Confidence Versions

Freebsd

100%

Version	Status	Scheme	Platform
`[15.0-RELEASE,p9)`	affected	generic	—
`[14.4-RELEASE,p5)`	affected	generic	—
`[14.3-RELEASE,p14)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the FreeBSD kernel to the latest release that includes the patch correcting the FUSE_LISTXATTR buffer validation.
Limit the users and processes that may register and run FUSE file system daemons, ensuring only trusted services provide extended attribute lists.
Run all remaining FUSE daemons within isolated environments such as FreeBSD jails or with mandatory access control policies to reduce the impact of any malformed messages on the kernel.

Generated by OpenCVE AI on May 21, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://security.freebsd.org/advisories/FreeBSD-SA-26:20.fusefs.asc

History

Thu, 21 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:freebsd:freebsd:14.3:-:::::: cpe:2.3:o:freebsd:freebsd:14.3:p10:::::: cpe:2.3:o:freebsd:freebsd:14.3:p11:::::: cpe:2.3:o:freebsd:freebsd:14.3:p12:::::: cpe:2.3:o:freebsd:freebsd:14.3:p13:::::: cpe:2.3:o:freebsd:freebsd:14.3:p1:::::: cpe:2.3:o:freebsd:freebsd:14.3:p2:::::: cpe:2.3:o:freebsd:freebsd:14.3:p3:::::: cpe:2.3:o:freebsd:freebsd:14.3:p4:::::: cpe:2.3:o:freebsd:freebsd:14.3:p5:::::: cpe:2.3:o:freebsd:freebsd:14.3:p6:::::: cpe:2.3:o:freebsd:freebsd:14.3:p7:::::: cpe:2.3:o:freebsd:freebsd:14.3:p8:::::: cpe:2.3:o:freebsd:freebsd:14.3:p9:::::: cpe:2.3:o:freebsd:freebsd:14.4:-:::::: cpe:2.3:o:freebsd:freebsd:14.4:p1:::::: cpe:2.3:o:freebsd:freebsd:14.4:p2:::::: cpe:2.3:o:freebsd:freebsd:14.4:p3:::::: cpe:2.3:o:freebsd:freebsd:14.4:p4:::::: cpe:2.3:o:freebsd:freebsd:14.4:rc1:::::: cpe:2.3:o:freebsd:freebsd:15.0:-:::::: cpe:2.3:o:freebsd:freebsd:15.0:p1:::::: cpe:2.3:o:freebsd:freebsd:15.0:p2:::::: cpe:2.3:o:freebsd:freebsd:15.0:p3:::::: cpe:2.3:o:freebsd:freebsd:15.0:p4:::::: cpe:2.3:o:freebsd:freebsd:15.0:p5:::::: cpe:2.3:o:freebsd:freebsd:15.0:p6:::::: cpe:2.3:o:freebsd:freebsd:15.0:p7:::::: cpe:2.3:o:freebsd:freebsd:15.0:p8::::::

Thu, 21 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H'}`

Thu, 21 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freebsd Freebsd freebsd
Vendors & Products		Freebsd Freebsd freebsd

Thu, 21 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 21 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.
Title		Heap overflow in FUSE_LISTXATTR
Weaknesses		CWE-122
References		https://security.freebsd.org/advisories/FreeBSD-SA-26:20.fusefs.asc

Subscriptions

Freebsd Freebsd

MITRE

Status: PUBLISHED

Assigner: freebsd

Published: 2026-05-21T09:08:00.478Z

Updated: 2026-05-21T13:47:03.794Z

Reserved: 2026-05-11T16:27:44.891Z

Link: CVE-2026-45252

Vulnrichment

Updated: 2026-05-21T12:29:37.010Z

NVD

Status : Analyzed

Published: 2026-05-21T10:16:26.157

Modified: 2026-05-21T19:01:09.797

Link: CVE-2026-45252

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-21T16:30:14Z

Weaknesses

CWE-122

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object