Ubuntu and Linux Kernel: Linux FUSE Vulnerability Allows Unprivileged Users to Pop a Root Shell

Ubuntu and Linux Kernel: Linux FUSE Vulnerability Allows Unprivileged Users to Pop a Root Shell

Critical Linux Kernel Flaw (CVE-2026-31694) Enables Local Privilege Escalation to Root

A newly disclosed vulnerability in the Linux kernel’s FUSE (Filesystem in Userspace) subsystem, tracked as CVE-2026-31694, allows unprivileged local attackers to escalate privileges to root by corrupting the page cache and hijacking the execution of SUID binaries, such as /usr/bin/su on Ubuntu 26.04.

The flaw resides in the fuse_add_dirent_to_cache() function in fs/fuse/readdir.c, where the kernel copies FUSE directory entries into the page cache when the FOPEN_CACHE_DIR flag is enabled. The vulnerability stems from insufficient bounds checking: while the namelen field in struct fuse_dirent is capped at 4,095 bytes, the resulting serialized record size (4,120 bytes) exceeds the standard 4 KiB page size on x86_64 systems. The kernel fails to verify whether the record itself exceeds PAGE_SIZE, leading to a 24-byte heap overflow when copying data into a new page.

Exploitation requires an attacker to mount a FUSE filesystem either via unprivileged user namespaces or fusermount3 and return an oversized directory entry. By triggering getdents64() on the crafted directory, the attacker can manipulate memory allocations to position the overflowed page immediately before the .init section of a SUID binary like /usr/bin/su. The 24-byte overflow then overwrites the binary’s initial instructions with shellcode that calls setuid(0) and setgid(0), granting root access without authentication.

Affected Systems & Exploitation Requirements

  • Vulnerable Kernels: Linux v6.16-rc1 and later (practical exploitation begins after commit dabb90391028, which increased the FUSE readdir buffer size).
  • Architectures: Only systems with 4 KiB page sizes (e.g., x86_64) are affected; larger page sizes (e.g., 64 KiB) are immune.
  • Attack Prerequisites: The attacker must have local access and the ability to mount FUSE filesystems, either through unprivileged user namespaces or fusermount3.

Patch & Mitigations
Upstream developers addressed the flaw with a patch (commit 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed) that prevents caching of directory entries exceeding PAGE_SIZE. Administrators are advised to deploy kernel updates incorporating this fix. Additional hardening measures include:

  • Removing the setuid bit from fusermount3 where unnecessary.
  • Restricting or disabling unprivileged user namespaces to reduce attack surface.

The vulnerability highlights how small, deterministic overflows in kernel subsystems when combined with precise page-cache manipulation can enable reliable root exploits.

Source: https://gbhackers.com/linux-fuse-vulnerability/

Ubuntu TPRM report: https://www.rankiteo.com/company/canonical

Linux Kernel TPRM report: https://www.rankiteo.com/company/canonical

"id": "can1783693822",
"linkid": "canonical",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Users of Linux distributions '
                                              'with vulnerable kernels (e.g., '
                                              'Ubuntu 26.04)',
                        'industry': 'Technology/Operating Systems',
                        'location': 'Global',
                        'name': 'Linux Kernel Project',
                        'type': 'Open-Source Software'}],
 'attack_vector': 'Local',
 'description': 'A newly disclosed vulnerability in the Linux kernel’s FUSE '
                '(Filesystem in Userspace) subsystem, tracked as '
                'CVE-2026-31694, allows unprivileged local attackers to '
                'escalate privileges to root by corrupting the page cache and '
                'hijacking the execution of SUID binaries, such as '
                '`/usr/bin/su` on Ubuntu 26.04. The flaw resides in the '
                '`fuse_add_dirent_to_cache()` function in `fs/fuse/readdir.c`, '
                'where insufficient bounds checking leads to a 24-byte heap '
                'overflow when copying FUSE directory entries into the page '
                'cache. Exploitation requires mounting a FUSE filesystem and '
                'returning an oversized directory entry to manipulate memory '
                'allocations and overwrite SUID binary instructions with '
                'shellcode.',
 'impact': {'operational_impact': 'Unauthorized root access, potential system '
                                  'compromise',
            'systems_affected': 'Linux systems with kernel v6.16-rc1 and later '
                                '(x86_64, 4 KiB page size)'},
 'lessons_learned': 'Small, deterministic overflows in kernel subsystems can '
                    'enable reliable root exploits when combined with precise '
                    'page-cache manipulation. Importance of bounds checking in '
                    'memory operations.',
 'post_incident_analysis': {'corrective_actions': 'Patch to prevent caching of '
                                                  'directory entries exceeding '
                                                  '`PAGE_SIZE`.',
                            'root_causes': 'Insufficient bounds checking in '
                                           '`fuse_add_dirent_to_cache()` '
                                           'function, leading to a 24-byte '
                                           'heap overflow when copying FUSE '
                                           'directory entries into the page '
                                           'cache.'},
 'recommendations': ['Deploy kernel updates incorporating the patch (commit '
                     '`51a8de6c50bf947c8f534cd73da4c8f0a13e7bed`).',
                     'Remove the setuid bit from `fusermount3` where '
                     'unnecessary.',
                     'Restrict or disable unprivileged user namespaces to '
                     'reduce attack surface.'],
 'references': [{'source': 'Linux Kernel Mailing List'},
                {'source': 'CVE-2026-31694 Details'}],
 'response': {'containment_measures': 'Kernel patch (commit '
                                      '`51a8de6c50bf947c8f534cd73da4c8f0a13e7bed`) '
                                      'to prevent caching of oversized '
                                      'directory entries',
              'remediation_measures': 'Deploy kernel updates incorporating the '
                                      'patch'},
 'title': 'Critical Linux Kernel Flaw (CVE-2026-31694) Enables Local Privilege '
          'Escalation to Root',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'CVE-2026-31694 (Heap Overflow in FUSE Subsystem)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.