CVE-2026-31694 Overview
CVE-2026-31694 is an out-of-bounds write vulnerability in the Linux kernel's Filesystem in Userspace (FUSE) implementation. The flaw resides in fuse_add_dirent_to_cache(), which fails to validate that a serialized directory entry fits within a single page-cache page before copying it. A malicious FUSE server can supply a dirent with namelen=4095, producing a 4120-byte record that overflows a 4 KiB page by 24 bytes into the adjacent kernel page. The vulnerability affects multiple Linux kernel versions, including 7.1-rc1 and 7.1-rc2.
Critical Impact
A local attacker controlling a FUSE server can corrupt adjacent kernel memory, leading to privilege escalation, kernel memory disclosure, or system crash on 4 KiB page systems.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.1-rc1
- Linux Kernel 7.1-rc2
Discovery Timeline
- 2026-05-01 - CVE-2026-31694 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-31694
Vulnerability Analysis
The vulnerability exists in the FUSE readdir cache code path. The function fuse_add_dirent_to_cache() constructs a serialized dirent whose total size depends on the namelen field controlled by the userspace FUSE server. The existing logic verifies only that the record fits in the remaining space of the current page, advancing to a new page if it does not. It never validates that the record itself fits within PAGE_SIZE.
When a FUSE server returns namelen=4095, the serialized record reaches 4120 bytes. On systems with 4 KiB pages, the subsequent memcpy() writes 24 bytes past the end of the destination page into the next kernel page. The CWE classification is currently listed as NVD-CWE-noinfo, but the defect maps to an out-of-bounds write [CWE-787].
Root Cause
The root cause is missing bounds validation against PAGE_SIZE for server-controlled input. The cache insertion logic trusts the namelen field without asserting that the serialized dirent size cannot exceed a single page.
Attack Vector
Exploitation requires local access and the ability to mount or interact with a FUSE filesystem. An attacker operating a malicious FUSE server crafts directory entries with oversized names. When the kernel populates the readdir cache, the overflow corrupts adjacent kernel memory. Containers and unprivileged user namespaces that permit FUSE mounts widen the exposure.
No public exploit code or proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.013%.
Detection Methods for CVE-2026-31694
Indicators of Compromise
- Unexpected kernel oops, panic, or BUG: messages referencing fuse_add_dirent_to_cache or memcpy in dmesg.
- KASAN reports indicating slab-out-of-bounds or page-boundary writes originating from FUSE readdir paths.
- Unprivileged processes mounting FUSE filesystems followed by directory enumeration of attacker-controlled mounts.
Detection Strategies
- Audit kernel logs for FUSE-related crashes, stack traces, and KASAN diagnostics on hosts running pre-patch kernels.
- Inventory running kernels against the fixed commits 45c05af3, 474ce83c, 51a8de6c, 7de93abf, and d23ad78b to identify vulnerable systems.
- Monitor for unusual mount.fuse or fusermount invocations from non-administrative users and containers.
Monitoring Recommendations
- Forward kernel ring buffer events and audit logs to a centralized SIEM for correlation across the fleet.
- Alert on creation of FUSE mounts inside unprivileged user namespaces and container workloads.
- Track process telemetry for binaries that implement FUSE servers running outside expected application paths.
How to Mitigate CVE-2026-31694
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the stable kernel commits once available from your distribution.
- Restrict FUSE mount privileges by disallowing unprivileged user namespaces from mounting FUSE filesystems where feasible.
- Identify and patch container hosts and multi-tenant systems first, as they present the broadest local attack surface.
Patch Information
The fix rejects dirents that cannot fit in a single page before copying them into the readdir cache. Patches are available in five stable-tree commits: 45c05af3, 474ce83c, 51a8de6c, 7de93abf, and d23ad78b.
Workarounds
- Disable the FUSE module (modprobe -r fuse) on systems that do not require user-space filesystems.
- Set /sys/module/fuse/parameters/userns_mounts or equivalent distribution controls to prohibit FUSE mounts from non-root users.
- Constrain container runtimes to block the mount syscall and FUSE device access via seccomp and device cgroup policies.
# Configuration example: prevent unprivileged FUSE mounts and block the module
sysctl -w kernel.unprivileged_userns_clone=0
chmod 600 /dev/fuse
echo "install fuse /bin/true" >> /etc/modprobe.d/disable-fuse.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
