CVE-2011-3353
Description
A buffer overflow in the Linux kernel's FUSE subsystem allows local users with FUSE mount capability to cause a system crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in the Linux kernel's FUSE subsystem allows local users with FUSE mount capability to cause a system crash.
Vulnerability
A buffer overflow exists in the fuse_notify_inval_entry function in fs/fuse/dev.c in the Linux kernel before version 3.1. The function processes FUSE_NOTIFY_INVAL_ENTRY messages without validating the length of the write, allowing message processing to overrun and trigger a BUG_ON in fuse_copy_fill(). The issue was introduced by commit 3b463ae0c6264f and affects systems where a user can mount a FUSE filesystem [1][4].
Exploitation
An attacker must have the ability to mount a FUSE filesystem on the target system. By crafting a specifically malformed FUSE_NOTIFY_INVAL_ENTRY message with an invalid namelen field, the attacker can cause the kernel to reach a BUG_ON condition during the copy operation in fuse_copy_fill() [1][4]. No other authentication or network access is required beyond local user privileges that allow FUSE mounting.
Impact
Successful exploitation results in a denial of service (DoS) condition. The kernel hits a BUG_ON and crashes, causing the system to become unavailable. No code execution or privilege escalation is reported; the impact is limited to system crash and reboot [1][3].
Mitigation
The issue is fixed in Linux kernel version 3.1 by commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae [2][4]. Red Hat Enterprise Linux 4 and 5 are not affected; Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG received updates via RHSA-2011:1465 and RHSA-2012:0010 [3]. Users should apply the kernel update or patch the source code with the fix commit [4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.1
Patches
1c2183d1e9b3ffuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
1 file changed · +4 −0
fs/fuse/dev.c+4 −0 modified@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size, if (outarg.namelen > FUSE_NAME_MAX) goto err; + err = -EINVAL; + if (size != sizeof(outarg) + outarg.namelen + 1) + goto err; + name.name = buf; name.len = outarg.namelen; err = fuse_copy_one(cs, buf, outarg.namelen + 1);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1nvdMailing ListPatchVendor Advisory
- www.openwall.com/lists/oss-security/2011/09/09/6nvdMailing ListPatchThird Party Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party Advisory
- github.com/torvalds/linux/commit/c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7aenvdPatchThird Party Advisory
- git.kernel.orgnvd
News mentions
0No linked articles in our index yet.