A significant vulnerability has been discovered in the Linux kernel’s FUSE subsystem, posing a risk of privilege escalation to root access. This flaw, identified as CVE-2026-31694, affects the mechanism through which the kernel caches FUSE directory entries.
Understanding the FUSE Vulnerability
The FUSE interface facilitates communication between a userspace filesystem and the Linux kernel by utilizing /dev/fuse. It is designed to cache directory entries to enhance read performance. However, a critical issue arises in the function fuse_add_dirent_to_cache(). Here, the kernel estimates the size of directory entries based on a server-determined filename length, subsequently copying these entries into a cache page without validating if they exceed the page’s capacity.
This vulnerability is particularly dangerous because a malicious FUSE server can generate directory entries larger than the typical 4 KiB page size, specifically around 4120 bytes. This results in a memory overflow, potentially affecting adjacent memory pages.
Exploitation and Impact
Research conducted by Bynario highlights the gravity of this flaw, which can lead to memory corruption. The exploit involves overwriting cached bytes of a SUID binary such as /usr/bin/su, allowing an attacker to insert code to execute setuid(0) and setgid(0). These system calls can grant root access, bypassing normal authentication protocols.
This vulnerability is exploitable under specific conditions, particularly on systems configured with 4 KiB memory pages and large readdir buffers. Exploitation requires either mounting or operating a FUSE filesystem, potentially accessible through unprivileged user namespaces or tools like fusermount3.
Mitigation Strategies
To mitigate this security risk, administrators should ensure that any directory entry exceeding the page size is rejected before caching. Systems not using 4 KiB pages remain unaffected by this particular overflow.
Additional protective measures include limiting FUSE usage, removing the setuid bit from fusermount3 when unnecessary, and restricting access to unprivileged namespaces. Implementing these strategies can significantly reduce the vulnerability exposure.
As the threat landscape evolves, maintaining vigilance in applying security patches and controls is paramount to safeguarding systems against such vulnerabilities.
