CVE-2026-45252 Overview
CVE-2026-45252 is a heap buffer overflow [CWE-122] in the FreeBSD fusefs kernel module. The vulnerability affects the handling of FUSE_LISTXATTR responses returned by a userspace FUSE daemon. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings representing extended attribute names. The fusefs kernel module calls strlen() on the daemon-supplied buffer without verifying that the list is properly NUL-terminated.
A malicious FUSE daemon can supply a non-terminated buffer, causing the kernel to read past one heap-allocated buffer and write past a second. The flaw enables disclosure of up to 253 bytes of kernel heap memory or injection of up to 250 attacker-controlled bytes into unallocated kernel heap space.
Critical Impact
A malicious userspace FUSE daemon can read kernel heap memory or corrupt adjacent kernel heap regions, enabling information disclosure and potential local privilege escalation.
Affected Products
- FreeBSD operating system with the fusefs kernel module enabled
- Systems mounting fusefs file systems backed by untrusted userspace daemons
- Refer to the FreeBSD Security Advisory for specific affected releases
Discovery Timeline
- 2026-05-21 - CVE-2026-45252 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-45252
Vulnerability Analysis
The FUSE (Filesystem in Userspace) protocol routes file system operations from the kernel to a userspace daemon. When a process queries extended attributes on a fusefs-backed file, the kernel sends a FUSE_LISTXATTR request and expects a packed buffer of NUL-terminated attribute names in response.
The fusefs kernel module iterates through the returned buffer using strlen() to compute the length of each entry. The module does not validate that the buffer ends with a NUL byte before calling strlen(). If the daemon omits the final NUL, strlen() reads past the end of the source heap buffer until it encounters an arbitrary NUL in adjacent kernel memory.
The over-read length is then used to copy data into a second destination buffer, allowing up to 253 bytes of out-of-bounds read and up to 250 bytes of out-of-bounds write into unallocated kernel heap space.
Root Cause
The root cause is missing input validation on data crossing the userspace-kernel trust boundary. The fusefs module trusts the daemon-supplied length and content of the FUSE_LISTXATTR reply without confirming the terminal NUL byte before invoking string-handling routines.
Attack Vector
An attacker must control a userspace FUSE daemon serving a mounted fusefs file system. On systems where unprivileged users can mount fusefs file systems, a local user can exploit the flaw by registering a malicious daemon and triggering an listxattr syscall against a file in the mount. The daemon returns a crafted non-NUL-terminated buffer to leak kernel heap memory or corrupt adjacent allocations.
The vulnerability manifests in the FUSE_LISTXATTR reply path. See the FreeBSD Security Advisory for low-level technical details.
Detection Methods for CVE-2026-45252
Indicators of Compromise
- Unexpected fusefs mounts originating from non-administrative users or unfamiliar daemon binaries
- Kernel panics, page faults, or memory corruption traces referencing fuse_vnop_listextattr or related fusefs symbols
- Processes invoking listxattr, flistxattr, or extattr_list_file against paths within fusefs mounts shortly after a new mount event
Detection Strategies
- Audit mount and nmount syscalls for fusefs file system types and correlate with the invoking user identity
- Monitor /dev/fuse open events and the parent processes acting as FUSE daemons
- Inspect kernel crash dumps for heap corruption signatures within the fusefs module call path
Monitoring Recommendations
- Forward FreeBSD auditd and kernel log telemetry to a centralized analytics pipeline for correlation of mount events with subsequent extended-attribute queries
- Alert on vfs.usermount sysctl changes that would permit unprivileged users to mount fusefs file systems
- Track installation or execution of unsigned FUSE daemon binaries on production hosts
How to Mitigate CVE-2026-45252
Immediate Actions Required
- Apply the patch published in the FreeBSD Security Advisory FreeBSD-SA-26:20.fusefs and reboot affected hosts
- Set vfs.usermount=0 to prevent unprivileged users from mounting fusefs file systems until patched
- Inventory hosts running fusefs and validate the trust level of every userspace FUSE daemon in use
Patch Information
FreeBSD has issued an official patch through advisory FreeBSD-SA-26:20.fusefs. The fix validates that the daemon-supplied FUSE_LISTXATTR buffer is properly NUL-terminated before invoking strlen(). Administrators should apply the kernel update using freebsd-update or rebuild and install the patched kernel from source.
Workarounds
- Disable the fuse kernel module with kldunload fuse on hosts that do not require fusefs functionality
- Restrict fusefs mounts to administrator-controlled daemons by setting vfs.usermount=0 in /etc/sysctl.conf
- Remove or restrict execute permissions on third-party FUSE daemon binaries until the patch is deployed
# Configuration example
# Disable unprivileged user mounts
sysctl vfs.usermount=0
echo 'vfs.usermount=0' >> /etc/sysctl.conf
# Unload fusefs kernel module if not required
kldunload fuse
# Apply FreeBSD security updates
freebsd-update fetch
freebsd-update install
shutdown -r now
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
