VYPR
researchPublished Jul 10, 2026· 1 source

Linux Kernel FUSE Vulnerability Allows Local Privilege Escalation to Root

A vulnerability in the Linux kernel's FUSE subsystem, CVE-2026-31694, enables local attackers to gain root privileges by corrupting memory through oversized directory entries.

A critical vulnerability within the Linux kernel's FUSE (Filesystem in Userspace) subsystem, identified as CVE-2026-31694, has been disclosed, presenting a significant risk of privilege escalation for local attackers. The flaw resides in the fuse_add_dirent_to_cache() function, which handles the caching of directory entries for FUSE filesystems. This mechanism is designed to improve performance by storing frequently accessed directory information in the kernel's page cache for faster retrieval.

However, the vulnerability arises from an insufficient size check before copying directory entries into the cache. The kernel calculates the size of a directory entry based on a filename length provided by a potentially malicious FUSE server. It then attempts to copy this entry into a single cache page without verifying if the total size of the entry exceeds the capacity of that page. On systems utilizing 4 KiB memory pages, a crafted directory entry can be up to 4120 bytes, which is 24 bytes larger than a single page.

When such an oversized entry is processed, the kernel proceeds to copy it, causing a buffer overflow that spills into adjacent memory pages. This uncontrolled write operation corrupts data stored in the page cache. While memory corruption itself is a serious issue, the true danger of CVE-2026-31694 lies in the potential to overwrite critical data structures, particularly those related to SUID (Set User ID) binaries.

Researchers demonstrated that this overflow can be exploited to corrupt cached data from SUID binaries, such as /usr/bin/su. By carefully overwriting the initial bytes of the executable code with a small payload, an attacker can manipulate the program's execution flow. This payload can then execute system calls like setuid(0) and setgid(0), effectively changing the process's identity to root before the original program continues its intended operation.

Once the attacker successfully executes these identity-changing system calls within a root-owned program, they can bypass standard authentication mechanisms and spawn a root shell. This grants them complete administrative control over the affected system. The attack vector requires the attacker to have the ability to mount or run a FUSE filesystem, which can often be achieved through unprivileged user namespaces or the fusermount3 utility.

According to the analysis by Bynario, the vulnerability is exploitable on newer Linux kernels that support large readdir buffers. Importantly, systems employing larger memory page sizes (e.g., 64 KiB) are not susceptible to this specific overflow due to the larger page capacity. The fix for this vulnerability is relatively straightforward: the kernel should reject any directory entry that cannot fit entirely within a single cache page before attempting to store it.

In addition to applying the patch, system administrators can mitigate exposure by limiting the use of FUSE filesystems where possible. Further hardening measures include removing the setuid bit from fusermount3 if it is not strictly necessary for unprivileged users and restricting the use of unprivileged user namespaces, which can be a common entry point for such attacks.

The disclosure of CVE-2026-31694 underscores the ongoing security challenges within the Linux kernel, particularly concerning subsystems that interface with user-space components. Vulnerabilities like this highlight the importance of rigorous code auditing and timely patching to maintain system integrity and prevent unauthorized privilege escalation.

Synthesized by Vypr AI