CVE-2026-31694
Published: 01 May 2026
Summary
CVE-2026-31694 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of server-controlled dirent sizes like namelen before copying into page-cache pages, directly preventing the buffer overflow in fuse_add_dirent_to_cache().
Ensures timely identification, reporting, and patching of the FUSE buffer overflow flaw via stable kernel updates.
Provides kernel memory protections such as KASLR and page execute restrictions to limit successful exploitation of the page overflow into adjacent memory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel buffer overflow in FUSE (via malicious userspace server) enables memory corruption leading to arbitrary code execution and privilege escalation from low-privileged process.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic…
more
only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache.
Deeper analysisAI
CVE-2026-31694 is a buffer overflow vulnerability in the Linux kernel's FUSE (Filesystem in Userspace) implementation, specifically in the fuse_add_dirent_to_cache() function. This function computes the serialized size of a directory entry (dirent) based on a server-controlled namelen field and copies it into a single page-cache page without checking if the dirent exceeds the PAGE_SIZE limit. On systems with 4 KiB pages, a malicious FUSE server can supply a dirent with namelen=4095, resulting in a 4120-byte record that overflows the target page by 24 bytes into the adjacent kernel page via memcpy().
A local attacker with low privileges (PR:L) who can control a FUSE server process can exploit this vulnerability by responding to readdir requests with oversized dirents. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability. Successful exploitation enables kernel memory corruption, potentially leading to arbitrary code execution, privilege escalation, or system denial of service.
The provided kernel patch references detail the mitigation, which rejects dirents that cannot fit within a single page before copying them into the readdir cache. These commits (e.g., 45c05af36311624c1148123caeb011312495d86b) update the FUSE logic to validate dirent sizes upfront, preventing the overflow. Security practitioners should apply the relevant stable kernel updates to affected versions.
Details
- CWE(s)