CVE-2026-53311
Received Received - Intake
Uninitialized Memory Exposure in Linux Kernel FUSE

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fuse: fix uninit-value in fuse_dentry_revalidate() fuse_dentry_revalidate() may be called with a dentry that didn't had ->d_time initialised. The issue was found with KMSAN, where lookup_open() calls __d_alloc(), followed by d_revalidate(), as shown below: ===================================================== BUG: KMSAN: uninit-value in fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394 fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394 d_revalidate fs/namei.c:1030 [inline] lookup_open fs/namei.c:4405 [inline] open_last_lookups fs/namei.c:4583 [inline] path_openat+0x1614/0x64c0 fs/namei.c:4827 do_file_open+0x2aa/0x680 fs/namei.c:4859 [...] Uninit was created at: slab_post_alloc_hook mm/slub.c:4466 [inline] slab_alloc_node mm/slub.c:4788 [inline] kmem_cache_alloc_lru_noprof+0x382/0x1280 mm/slub.c:4807 __d_alloc+0x55/0xa00 fs/dcache.c:1740 d_alloc_parallel+0x99/0x2740 fs/dcache.c:2604 lookup_open fs/namei.c:4398 [inline] open_last_lookups fs/namei.c:4583 [inline] path_openat+0x135f/0x64c0 fs/namei.c:4827 do_file_open+0x2aa/0x680 fs/namei.c:4859 [...] =====================================================
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53311
EUVD
EUVD-2026-39846
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel fuse *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's FUSE (Filesystem in Userspace) component, specifically in the function fuse_dentry_revalidate(). The issue arises because fuse_dentry_revalidate() may be called with a dentry (directory entry) structure that has an uninitialized d_time field. This uninitialized value was detected by KMSAN (Kernel Memory Sanitizer) during certain file lookup operations, which can lead to undefined behavior.

Impact Analysis

The vulnerability involves the use of uninitialized memory within the kernel's FUSE filesystem code. While the exact impact is not detailed, uninitialized memory usage can potentially lead to unpredictable behavior, including system instability or crashes. However, no direct information about exploitation or security impact such as privilege escalation or data leakage is provided.

Detection Guidance

This vulnerability involves an uninitialized value in the Linux kernel function fuse_dentry_revalidate(). Detection would typically require monitoring for kernel warnings or bugs related to uninitialized values in fuse_dentry_revalidate.

Since the issue was found using KMSAN (Kernel Memory Sanitizer), enabling KMSAN on your kernel and monitoring its output could help detect this vulnerability.

There are no specific commands provided to detect this vulnerability directly.

Mitigation Strategies

The vulnerability has been resolved by fixing the uninitialized value in fuse_dentry_revalidate().

Immediate mitigation steps would include updating your Linux kernel to a version that contains this fix.

No other specific mitigation steps or workarounds are provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53311. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart