Linux Kernel FUSE Vulnerability (CVE-2026-31694) Enables Local Privilege Escalation
A critical vulnerability in the Linux kernel’s FUSE (Filesystem in Userspace) subsystem, tracked as CVE-2026-31694, allows local attackers to escalate privileges to root by exploiting a flaw in directory entry caching. The issue stems from the fuse_add_dirent_to_cache() function, which fails to validate whether a directory entry exceeds the size of a single memory page before copying it into the cache.
On systems with 4 KiB memory pages, a malicious FUSE server can return a directory entry sized at 4,120 bytes 24 bytes larger than a single page. When the kernel attempts to cache this entry, the overflow corrupts adjacent memory. Researchers demonstrated that this corruption can overwrite cached bytes from SUID binaries, such as /usr/bin/su, with malicious payloads that execute setuid(0) and setgid(0), bypassing authentication and granting a root shell.
The attack requires local access and the ability to mount or interact with a FUSE filesystem, which may be possible via unprivileged user namespaces or fusermount3. The vulnerability affects newer kernels with large readdir buffers but is limited to systems using 4 KiB page sizes; larger page configurations are unaffected.
A patch has been released to reject oversized directory entries before caching. Mitigation options include restricting FUSE usage, removing the setuid bit from fusermount3, and limiting unprivileged namespaces. The flaw underscores the risks of kernel-level caching mechanisms in privileged operations.
Source: https://cybersecuritynews.com/linux-kernel-fuse-vulnerability/
Linux Kernel TPRM report: https://www.rankiteo.com/company/linux-kernel-foundation
"id": "lin1783686231",
"linkid": "linux-kernel-foundation",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'All Linux distributions using '
'affected kernel versions',
'industry': 'Technology/Operating Systems',
'location': 'Global',
'name': 'Linux Kernel',
'type': 'Software'}],
'attack_vector': 'Local',
'description': 'A critical vulnerability in the Linux kernel’s FUSE '
'(Filesystem in Userspace) subsystem, tracked as '
'CVE-2026-31694, allows local attackers to escalate privileges '
'to root by exploiting a flaw in directory entry caching. The '
'issue stems from the `fuse_add_dirent_to_cache()` function, '
'which fails to validate whether a directory entry exceeds the '
'size of a single memory page before copying it into the '
'cache. On systems with 4 KiB memory pages, a malicious FUSE '
'server can return a directory entry sized at 4,120 bytes (24 '
'bytes larger than a single page). When the kernel attempts to '
'cache this entry, the overflow corrupts adjacent memory. '
'Researchers demonstrated that this corruption can overwrite '
'cached bytes from SUID binaries, such as `/usr/bin/su`, with '
'malicious payloads that execute `setuid(0)` and `setgid(0)`, '
'bypassing authentication and granting a root shell.',
'impact': {'operational_impact': 'Unauthorized root access, potential system '
'compromise',
'systems_affected': 'Linux systems with 4 KiB page sizes and FUSE '
'subsystem enabled'},
'lessons_learned': 'The flaw underscores the risks of kernel-level caching '
'mechanisms in privileged operations.',
'post_incident_analysis': {'corrective_actions': 'Patch to validate and '
'reject oversized directory '
'entries before caching',
'root_causes': 'Failure to validate directory '
'entry size in '
'`fuse_add_dirent_to_cache()` '
'function, leading to memory '
'corruption'},
'recommendations': ['Apply the patch to reject oversized directory entries',
'Restrict FUSE usage where unnecessary',
'Remove the setuid bit from `fusermount3`',
'Limit unprivileged user namespaces'],
'response': {'containment_measures': 'Patch released to reject oversized '
'directory entries before caching',
'remediation_measures': ['Restricting FUSE usage',
'Removing the setuid bit from '
'`fusermount3`',
'Limiting unprivileged namespaces']},
'title': 'Linux Kernel FUSE Vulnerability (CVE-2026-31694) Enables Local '
'Privilege Escalation',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2026-31694 (FUSE directory entry caching '
'flaw)'}