Impact
The defect resides in the kernel’s FUSE layer, where the operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE can be used to write and read page‑cache data for directories that are meant for kernel‑internal caching. This weakness is a CWE‑266 issue involving improper authorization controls. The kernel’s own page‑cache logic rejects such operations for regular files, but before the patch it was possible for a FUSE daemon to invoke these operations on a directory, leading to the kernel’s WARN_ON being triggered and potentially a panic or memory corruption. Consequently, an attacker who can control or tamper with a FUSE daemon may cause the entire system to become unstable or crash, resulting in a denial of service.
Affected Systems
All Linux kernels that contain the FUSE filesystem and expose the two notify operations are affected. The vulnerability applies across vendor distributions that ship the unpatched kernel, regardless of its release version. Exact version boundaries are not specified; administrators should verify whether their running kernel includes the commit that adds the check rejecting these ops on directories.
Risk and Exploitability
The CVSS score of 7.0 reflects a moderate‑to‑high severity impact focused on availability, not confidentiality or integrity. The EPSS score of <1% indicates a low probability of exploitation in the in the CISA analysis. A likely attack vector is an attacker controlling or compromising a FUSE daemon, which typically requires local system access or elevated privileges. The flaw does not provide a pathway to privilege escalation or arbitrary code execution; it primarily permits a local privileged actor to trigger kernel instability or a panic, effectively denying service to the affected host.
OpenCVE Enrichment
Debian DLA