A critical vulnerability has been identified in the Linux kernel’s Filesystem in Userspace (FUSE) subsystem, potentially allowing local attackers to escalate their privileges to root. This flaw, designated as CVE-2026-31694, arises from improper validation within the fuse_add_dirent_to_cache() function, which handles the caching of directory entries.
FUSE enables user-space filesystems to communicate with the kernel via the /dev/fuse interface, facilitating the caching of directory entries to enhance performance. The vulnerability stems from the kernel’s failure to verify that the size of a directory entry, determined by the length of the filename provided by the FUSE server, fits within a single page of memory before copying it into the page cache.
Exploitation of this flaw involves a malicious FUSE server returning a directory entry with a serialized size exceeding the standard 4 KiB page size. For instance, a directory entry of 4,120 bytes would overflow the allocated page by 24 bytes, leading to memory corruption. This overflow can be strategically used to overwrite adjacent memory regions, including critical system binaries.
In practical terms, an attacker could corrupt cached bytes of a setuid binary, such as /usr/bin/su, by replacing the initial executable code with a payload that invokes setuid(0) and setgid(0). Successfully executing these system calls within a root-owned program allows the attacker to bypass authentication mechanisms and obtain a root shell.
To exploit this vulnerability, an attacker requires the capability to mount or execute a FUSE filesystem. This access may be available through unprivileged user namespaces or utilities like fusermount3. Notably, the issue is prevalent in newer kernel versions with large readdir buffers and primarily affects systems utilizing 4 KiB memory pages. Systems with larger page sizes are not susceptible to this specific overflow.
The recommended mitigation involves updating the Linux kernel to a version where this vulnerability has been addressed. The fix entails rejecting any directory entry that exceeds a single page in size before caching it. Additionally, administrators can enhance security by limiting the use of FUSE, removing the setuid bit from fusermount3 when unnecessary, and restricting unprivileged namespaces as appropriate.
This vulnerability underscores the critical importance of rigorous input validation within kernel subsystems, especially those interfacing with user-space components. It also highlights the necessity for system administrators to stay vigilant with kernel updates and to implement security best practices to mitigate potential exploitation risks.