CVE-2026-31694
fuse: reject oversized dirents in page cache
Description
In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache.
INFO
Published Date :
May 1, 2026, 2:16 p.m.
Last Modified :
May 6, 2026, 7:23 p.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Solution
- Update the Linux kernel to a patched version.
- Reject dirents that exceed PAGE_SIZE.
- Ensure dirents fit in a single page.
- Validate server-provided namelen field.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-31694.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-31694 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-31694
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-31694 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-31694 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
May. 06, 2026
Action Type Old Value New Value Added CWE NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.12.84 *cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.18.25 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 7.0.2 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 6.6.136 Added Reference Type kernel.org: https://git.kernel.org/stable/c/45c05af36311624c1148123caeb011312495d86b Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/d23ad78bfd205eac26766e38ba7d79f279131098 Types: Patch -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 03, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 01, 2026
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache. Added Reference https://git.kernel.org/stable/c/45c05af36311624c1148123caeb011312495d86b Added Reference https://git.kernel.org/stable/c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5 Added Reference https://git.kernel.org/stable/c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed Added Reference https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f Added Reference https://git.kernel.org/stable/c/d23ad78bfd205eac26766e38ba7d79f279131098