CVE-2026-31694
Received Received - Intake
Buffer Overflow in Linux Kernel FUSE

Publication date: 2026-05-01

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31694
EUVD
EUVD-2026-26503
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.84 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.25 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
linux linux_kernel From 4.20 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's FUSE (Filesystem in Userspace) implementation. Specifically, the function fuse_add_dirent_to_cache() calculates the size of directory entries (dirents) based on a server-controlled name length field (namelen) and copies these entries into a page cache.

The problem is that the function only checks if the dirent fits in the remaining space of the current page and moves to a new page if it doesn't, but it never verifies if the dirent itself is larger than the entire page size (PAGE_SIZE).

A malicious FUSE server can exploit this by sending a dirent with a very large namelen (e.g., 4095), resulting in a serialized record size of 4120 bytes. On systems with 4 KiB pages, this causes a buffer overflow of 24 bytes beyond the intended page boundary into the next kernel page.

The fix involves rejecting dirents that cannot fit entirely within a single page before copying them into the readdir cache, preventing this overflow.

Impact Analysis

This vulnerability can lead to a buffer overflow in the kernel's page cache when processing directory entries from a FUSE server. Such an overflow may corrupt adjacent kernel memory pages.

Potential impacts include system instability, crashes, or exploitation by an attacker to execute arbitrary code with kernel privileges, leading to a full system compromise.

Since the vulnerability is triggered by a malicious FUSE server, systems that mount or interact with untrusted FUSE filesystems are particularly at risk.

Mitigation Strategies

The vulnerability has been resolved by rejecting dirents that cannot fit in a single page before copying them into the readdir cache.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart