CVE-2026-31694

HIGH EPSS 2.9%
Published May 1, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 1, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥4.20  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.84
linuxlinux_kernel*≥6.13  –  <6.18.25
linuxlinux_kernel*≥6.19  –  <7.0.2
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/038e61812fa52ef62bad2cfc96bf37dc0db47c1e
  • git.kernel.org https://git.kernel.org/stable/c/1d4a517fa90480c52fd452fea2686cd80f773ce2
  • git.kernel.org https://git.kernel.org/stable/c/3059f9abe7f1ba8fddf3c86c5faa1eeacf07e7d4
  • git.kernel.org https://git.kernel.org/stable/c/45c05af36311624c1148123caeb011312495d86b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d23ad78bfd205eac26766e38ba7d79f279131098
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/45c05af36311624c1148123caeb011312495d86b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d23ad78bfd205eac26766e38ba7d79f279131098
    Patch